First reported by the Daily Dot (opens in new tab), an activist and hacker named maia arson crimew (opens in new tab) discovered an unsecured U.S. regional airline CommuteAir (formerly CommutAir) owned discovered a 2019 U.S. Government No-Fly List on its servers. This glimpse into this well-known but not publicly available U.S. government registry is the latest in a string of large corporate security breaches in recent months.

Crimew, an independent hacker and researcher, discovered the list through a variant of Shodan, a cybersecurity-focused search engine that can find unsecured servers on the Net. Crimew is a partner of United Airlines and short-range In addition to the list itself, with the outrageously named NoFly.csv, Crimew found detailed CommuteAir employee records and "refueling, cancellations, flight updates, crew replacements, etc.

Crimew discovered credentials that allow access to "the navlblue API for ...

Crimew does not fully disclose the No-Fly List, but makes it available to journalists upon request; according to Kotaku (opens in new tab), the list has over 1.56 million entries and includes the names, dates of birth, and pseudonyms of the targeted individuals. Crimew told the Daily Dot, "It's crazy to me how large the Terrorism Screening Database is and the very clear trend of almost Arabic and Russian-like names among the one million entries I don't know what to say."

CommuteAir confirmed that the database is authentic and dated 2019, and TSA told the Daily Dot that it is "aware of a possible CommuteAir cybersecurity incident" and is "working with (its) federal partners to investigate."

TSA stated.

The U.S. government had maintained a small list of individuals with "Do Not Transport" flags since before 2001, but the No-Fly list exploded in size and scope after the September 11 attacks. Critics argue that the list is an opaque overreach of the security state and disproportionately affects Muslims. The list also includes U.S. citizens.

In 2016, Senator Dianne Feinstein (open in new tab) revealed that the list covers 81,000 people, and in 2005, the TSA (open in new tab) acknowledged receiving 30,000 complaints from people mistakenly added to the list. It is unclear how many of the 1.5 million entries in NoFly.csv were aliases, common misspellings, or other forms of repeated entries of the same person. The Daily Dot, on the other hand, mentions the possibility that the leak reflects the wider and less restrictive Terrorism Screening Database, as opposed to the narrower and more stringent No-Fly list.

This is not crimew's first act of hacktivism. She has previously leaked data from Intel, Nissan, and the cloud-based security firm Velcada. Crimew's home was raided by Swiss police in connection with accusations from the U.S. government about these leaks, but the Swiss Constitution exempts her from extradition to the United States. Climieux maintains a personal website (opens in new tab) and an active Twitter account (opens in new tab).