By Peter Wade
A copy of the No Fly List from 2019 has leaked, uncovered by a Swiss cybersecurity researcher and hacktivist who claims to have discovered it on an unsecured internet server belonging to an airline.
The Daily Dot first reported news that a hacktivist who uses the moniker maia arson crimew found the list one evening while browsing a Shodan, a search engine for Internet-connected devices. According to crimew, a publicly accessible server run by CommuteAir contained a text file titled “NoFly.csv” with more than 1.5 million names.
The Transportation Security Administration said in a statement that it is “is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners.”
The No Fly List contains names/aliases and birthdates of individuals who are known or suspected to be terrorists. The list prohibits those on it from flying on commercial airlines traveling within, to or from the U.S. The list included known Russian arms dealer Viktor Bout along with 16 possible aliases for him, crimew said. While the list contained names from a range of backgrounds, including suspected members of the IRA, an Irish paramilitary organization, many names appeared to be of Arabic or Middle Eastern descent, according to crimew.
“It’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries,” crimew said to The Daily Dot. Some people on the list, crimew said, would have been only four or five years old at the time they were on the list.
“What problem is this even trying to solve in the first place?” crimew told Business Insider. “I feel like this is just a very perverse outgrowth of the surveillance state. And not just in the U.S., this is a global trend.”
The list has grown by hundreds of thousands since the attacks on Sept. 11, 2001, and civil liberties groups, including the Council on American-Islamic Relations (CAIR) and American Civil Liberties Union (ACLU) have filed lawsuits claiming discrimination.
In a statement to CNN, CommuteAir said that the data on the server contained “an outdated 2019 version of the federal no-fly list” with names and birth dates. The airline said it has taken the server offline after being contacted by a “member of the security research community.”
The leak could lead to an investigation from Congress. “The entire US no-fly list — with 1.5 million+ entries — was found on an unsecured server by a Swiss hacker,” Rep. Dan Bishop (R-N.C.), who sits on the House Homeland Security Committee, wrote in a tweet. “Besides the fact that the list is a civil liberties nightmare, how was this info so easily accessible?”
Congress “will be coming for answers,” Bishop added.
We want to hear it. Send us a tip using our anonymous form.
Copyright © 2023 Penske Business Media, LLC. All Rights reserved.