The Transportation Security Administration (TSA) confirmed an investigation into a “potential cybersecurity incident“. A hacker alleged access to an outdated version of TSA’s No Fly list, which contains details of known or suspected terrorists. The claim was that this data was retrieved from an unsecured computer server of CommuteAir , an Ohio-based regional airline.
CommuteAir CommuteAir stating the compromised data was a 2019 version of the no-fly list including names and birthdates. The airline, which operates 50-seat regional flights for United Airlines from several hubs, took the affected server offline after being alerted by a security researcher. The no-fly list, a result of the September 11, 2001 attacks, prohibits certain individuals from flying in or to the US.
The hacker, self-described as a cybersecurity researcher, is a 23-year-old Swiss woman namedmaia arson crimew. To support her claims, she shared samples of the exposed data, including information about known or suspected terrorists. Previously known as Tillie Kottmann, she was indicted in the US in 2021 for being part of a hacking conspiracy.
CommuteAir disclosed a separate data breach incident from November 2022, where an “unauthorized party” accessed personal information including names, birthdays, and partial social security numbers. The airline stated it is working with law enforcement to address this incident. It was first reported by tech news outlet, The Daily Dot.
The ease with which a single hacker demoted a test server is highly serious from two main aspects:
- The personal details of tens of thousands* of people on this dishonorable list have been leaked. It can be assumed that some of them are suspected of no wrongdoing and others are entitled to privacy, at least until they are arrested, suspected, investigated, have charges filed against them, and are convicted in court. It is easy to guess what the leak does to the good name of those featured on it.
- The exposure of the file also reveals the list of FBI targets. A bit of reverse engineering, intelligence, and vigilance can easily reveal sources, methods, and means that this organization would prefer to keep in the shadows.