Of all the online destinations susceptible to hacking, the U.S. government’s Terrorist Screening Database does not seem like it would be an easy target.
That assumption, however, proved faulty last week when a Swiss hacker posted details on a blog showing how easily she was able to access the sensitive information. All she needed was to gain access to an unsecured server and she was inside the infamous “No Fly” list.
That controversial list contains the names and aliases of hundreds of thousands of people with suspected links to terrorism or other dangerous and illegal activities.
The unsecured server was reportedly under the control of CommuteAir, a U.S. airline. Through this access point, it only took her 30 minutes to gather names and security credentials of the airline’s crews, and these led straight to the Transportation Safety Administration’s (TSA) No Fly list.
There, the hacker identified only as “maia arson crimew” found the list with over 1.5 million names. The enormous file included scores of aliases that suspected terrorists and other criminals could attempt to fly under.
Hacker Found FBI No Fly List on Unsecured Server https://t.co/n5CYdA8QbQ @PCMag #FBI # hack #nofly #infosec #cybersecurity pic.twitter.com/0gcbNd9wYo
— 🐺 AdamSarwar.com 👨🏻🚀 (@AdamSarwar) January 23, 2023
The inclusion of aliases brought the total of unique individuals barred from flying by the U.S. government well beneath the 1.5 million total.
The Daily Dot reported that names and birth dates of listed persons were readily available, including infamous Russian arms dealer Viktor Bout. The international criminal was recently exchanged from U.S. custody by the Biden administration for WNBA star Brittney Griner.
Bout’s listing included more than 16 potential aliases he could attempt to travel under, and many of them were common misspellings of his last name as well as variations on his first name. The TSA list also featured different potential birthdays he could cite while moving internationally.
The expansive list reportedly included members of the Irish Republican Army (IRA) and even one eight-year-old.
The hacker noted that many of the list’s entries were names that seemed to be of Arabic or other Middle Eastern descent. Several others appeared to be Russian or South Asian.
TSA officials released a statement saying the agency was “aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners.”
The hacker, who reportedly is a security researcher, found easy access online to a very sensitive list. Obviously, security must be greatly tightened, as the next person to rummage through the No Fly list may not have peaceful intentions.