A foreign hacker obtained an old copy of the U.S. government’s Terrorist Screening Database and “no fly” list from an unsecured server belonging to a commercial airline.
The Swiss hacker known as “maia arson crimew” blogged Thursday that she discovered the Transportation Security Administration “no fly” list from 2019 and a trove of data belonging to CommuteAir on an unsecured Amazon Web Services cloud server used by the airline.
The hacker told The Daily Dot the list appeared to have more than 1.5 million entries. The data reportedly included names and birthdates of various individuals who have been barred from air travel by the government due to suspected or known ties to terrorist organizations.
“CommuteAir was notified by a member of the security research community who identified a misconfigured development server,” said Erik Kane, corporate communications manager for CommuteAir. “The researcher accessed files, including an outdated 2019 version of the federal no-fly list that included first and last name and date of birth. Additionally, through information found on the server, the researcher discovered access to a database containing personal identifiable information of CommuteAir employees.
CommuteAir is a regional airline founded in 1989 and based in Ohio. The company operates with hubs in Denver, Houston and Washington Dulles and operates more than 1,600 weekly flights to over 75 U.S. destinations and three in Mexico.