A U.S. airline has leaked the federal No Fly List containing people barred from air travel because of suspected terrorist links or activity.
A Swiss hacker, known as “maia arson crimew,” told the Daily Dot that she stumbled upon the terrorist screening database while playing around with Shodan, a search engine for internet-exposed servers.
The list belonged to the North Olmsted, Ohio-based regional airline company CommuteAir. According to its Wikipedia page, the airline operates over 1,600 weekly flights to 75 destinations in the United States and three in Mexico.
No Fly List exposed millions of suspected terrorists’ records
The Daily Dot reported that the No Fly list leaked was sitting on an unsecured server and contained 1.5 million entries, with most entries being aliases referring to the same individuals.
However, CommuteAir downplayed the leak’s impact, saying that the exposed database was “an outdated 2019 version of the federal No Fly List” that included the suspects’ names and dates of birth.
Suspects in the No Fly List included the Russian weapons dealer Viktor Bout, aka the “Merchant of Death,” recently freed in exchange for the WNBA star Brittney Griner. Bout had over 16 aliases in the leaked federal No Fly List. Others included suspected members of the IRA (Irish Republican Army), a group of paramilitary organizations attempting to reunite Ireland.
The server also hosted an unsecured database of 900 CommuteAir employees containing names, birthdays, and the last four digits of their Social Security Numbers.
The hacker notified CommuteAir of the exposed database, prompting the airline to shut down the exposed server.
CommuteAir said it had notified the Cybersecurity and Infrastructure Security Agency (CISA) and commenced a full investigation. The Transportation Security Administration (TSA) also acknowledged the breach, adding that it was investigating a “potential cybersecurity incident” with its federal partners.
CommuteAir explained that the leaked No Fly List was a subset of a larger database potentially with more entries. Authorities also maintain a more extensive Terrorism Screening Database with millions of suspects.
According to CommuteAir, the exposed computing infrastructure was a development server used for software testing.
Use of production data on development systems
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security noted that organizations should never use production data on development systems, “no matter how seemingly benign the data appears.”
“The use of production data in development systems increases the risk of disclosure of that information because, in many organizations, development systems may not be as protected as their production systems.”
Andrew Hay, COO at LARES Consulting, faults server administrators for allowing public access on cloud data stores: “The thing that people need to understand is that the organization must explicitly configure access to these buckets,” Hay said.” Cloud providers have done a very good job protecting newly created storage buckets and restricting public access. An administrator must go out of their way to allow such access.”
Although Hay disapproves of using real data in testing, he acknowledged that sometimes organizations have to “sacrifice security for expedience and testing with live customer data.” According to Hay, creating anonymized datasets is occasionally time-consuming, and the result “doesn’t accurately reflect real data.”
According to Andrew Barratt, Vice President at Coalfire, the leak was inexcusable, regardless of the server breached: “It’s almost laughable that the excuse ‘it’s a development server’ is still used,” he said. “Funny for two reasons: 1) development environments shouldn’t be using production-sensitive data AND 2) if they are, then they should be secured the same way a production system is.”
Wanted hacker behind the No Fly List leak
Interestingly, the Swiss hacker is wanted by the United States government for multiple cyber-related crimes, including computer intrusion and data and identity theft.
In March 2021, a grand jury in the Western District of Washington indicted Tillie Kottmann, aka “deletescape” and “tillie crimew,” for allegedly hacking various private and government organizations and posting data online between 2019 and 2021.
Kottmann was involved in exposing various surveillance programs, but the DOJ says her activities were inconsistent with freedom of speech.
According to Acting U.S. Attorney Tessa M. Gorman, “Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech–it is theft and fraud.”
The FBI says Kottmann targeted git servers to access repositories with hard-coded administrative keys to gain unauthorized access to computer systems and discussed data thefts and computer intrusions with journalists over social media.
Tillmann, who describes herself as an anarchist trans lesbian kitten, could face up to 5 years in prison for computer fraud and abuse, 20 years for conspiracy to commit wire fraud, and 24 months for aggravated identity theft.