January 23, 2023

A Swiss hacker known as “maia arson crimew” discovered an unprotected server maintained by a U.S. national airline that contained the personal information of hundreds of thousands of people on the federal “No Fly List” and terrorism database.

The identities of nearly 1,000 CommuteAir employees were also compromised, according to the airline. According to the hacker, who first revealed the news to the Daily Dot, the exposed infrastructure could have allowed a bad actor to “completely own” the airline.

In a blog post titled “How to Completely Own an Airline in 3 Easy Steps and Grab the TSA No Fly List Along the Way,” the author detailed how boredom led to a search for exposed open-source automation Jenkins servers on the internet.

Crimew claimed it took her only minutes to connect to the server and find the credentials that allowed her to view the database. She stated that she was exploring the servers to relieve boredom while sitting alone and had no intention of discovering anything with US national security implications. The credentials she discovered that granted her access to the files also granted her access to internal interfaces that controlled refueling, canceling and updating flights, and swapping out crew members, she added.

The total number of entries on the list appeared to be more than 1.5 million. The information included names and birth dates. It also included multiple aliases, bringing the total number of unique people to far less than 1.5 million.

The server was taken offline prior to publication after the Daily Dot alerted CommuteAir, which stated in a statement that it was used for testing and development. The TSA stated that it was “aware of a potential cybersecurity incident with CommuteAir, which we are investigating in collaboration with our federal partners.”

The sources for this piece include an article in BusinessInsider.