EXCLUSIVE Leaked TSA No Fly List File Found on Airline Server

pMikael ThalenppDavid CovuccippAn unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the US governments Terrorist Screening Database and No Fly List ppLocated by the Swiss hacker known as maia arson crimew the server run by the US national airline CommuteAir was left exposed on the public internet It revealed a vast amount of company data including private information on almost 1000 CommuteAir employeesppAnalysis of the server resulted in the discovery of a text file named NoFlycsv a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizationsppThe list according to crimew appeared to have more than 15 million entries in total The data included names as well as birth dates It also included multiple aliases placing the number of unique individuals at far less than 15 million ppOn the list were several notable figures including the recently freed Russian arms dealer Viktor Bout alongside over 16 potential aliases for him ppThe aliases comprised different common misspellings of his last name and other versions of his first name as well as different birthdays Many of the birthdays aligned with the recorded date Bout was born ppSuspected members of the IRA the Irish paramilitary organization were also on the listppAnother individual according to crimew was listed as 8 years old based on their birth year ppMany entries on the list were names that appeared to be of Arabic or Middle Eastern descent although Hispanic and Anglicansounding names were also on the list Numerous names included aliases that were common misspellings or slightly altered versions of their names  ppIts just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries crimew said ppOver last 20 years the US citizens that weve seen targeted for watchlisting are disproportionately Muslim and people of Arab or Middle Eastern and South Asian descent said Hina Shamsi director of the National Security Project at the American Civil Liberties ACLU Sometimes its people who dissent or have what are seen as unpopular views Weve also seen journalists watchlistedppIn a statement to the Daily Dot TSA said that it was aware of a potential cybersecurity incident with CommuteAir and we are investigating in coordination with our federal partnersppThe FBI declined to answer specific questions about the list to the Daily Dot ppIn a statement to the Daily Dot CommuteAir said that the exposed infrastructure which it described as a development server was used for testing purposesppCommuteAir added that the server which was taken offline prior to publication after being flagged by the Daily Dot did not expose any customer information based on an initial investigationppCommuteAir also confirmed the legitimacy of the data stating that it was a version of the federal nofly list from roughly four years priorppThe server contained data from a 2019 version of the federal nofly list that included first and last names and dates of birth CommuteAir Corporate Communications Manager Erik Kane said In addition certain CommuteAir employee and flight information was accessible We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigationppCommuteAir is a regional airline based out of Ohio In June 2020 CommuteAir replaced ExpressJet as the carrier for its United Express Banner a regional branch of United which runs shorter flights ppIn remarks to the Daily Dot crimew said that they had made the discovery while searching for Jenkins servers on the specialized search engine Shodan Jenkins provides automation servers that aid in the building testing and deployment of software Shodan is used throughout the cybersecurity community to locate servers exposed to the open internetppThe server also held the passport numbers addresses and phone numbers of roughly 900 company employees User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed said crimewppThe Terrorism Screening Database according to the FBI is a list of individuals shared across government departments to prevent the kind of intelligence lapses that occurred prior to 911 Within that is the smaller more tightly controlled No Fly List Individuals in the Terrorism Screening Database can be subject to certain restrictions and given additional security screening Individuals explicitly on the No Fly List are barred from boarding aircraft in the United States ppThis country has a massive bloated watchlisting system that can stigmatize peopleincluding Americansas known or suspected terrorists based on secret standards and secret evidence without a meaningful process to challenge government error and clear their names Shamsi said The categories of people watchlisted seem every expanding never constricting The consequences are significant and have real harms for peoples lives Theres the obvious stigma and embarrassment and life hardships of being unable to fly in our modern age to being singled out to being searched Weve had mothers and fathers stigmatized and embarrassed in front of their childrenppEstimates of both the Terrorism Screening Database and the No Fly List have long been made The Terrorism Screening Database was been estimated to contain up to 1 million entries with the No Fly List reportedly much smaller ppWhen asked for clarification CommuteAir said it was specifically the No Fly List subset they hosted which means it could potentially be much larger than previously reported ppBut an expert familiar with the contours of the No Fly List cautioned that a list that size may be the larger Terrorism Screening Database and not the smaller No Fly List ppThe Intercept in 2014 previously reported that the No Fly List held more than 47000 names In 2016 Sen Dianne Feinstein DCalif suggested that over 81000 people were on the listppAlthough the list is highly secretive and rarely leaks it is not considered a classified document due to the number of agencies and individuals that need access to it ppIn a declaration to the ACLU G Clayton Grigg at the time the Deputy Director for Operations of the Terrorist Screening Center said that while the list does contain classified national security information maintaining the TDSB as a sensitive but unclassified system allows for law enforcement screening officers to use the identifying information from the TSDB even though they may not possess Secret or Top Secret security clearancesppThe discovery by crimew is not the first time an unsecured version of the Terrorist Screening Database has been exposed online Security researcher Volodymyr Bob Diachenko found a detailed copy of the terrorism watchlist with 19 million entries in 2021ppNames provided to Diachenko by the Daily Dot matched entries on the list he obtained although Diachenko never received official confirmation his list was genuine ppThe No Fly List has routinely been criticized by privacy and civil liberties experts The ACLU successfully sued to allow citizens to challenge their inclusion on the list However more work needs to be done to improve transparency with the list Shamsi said ppIt is already a massive and bloated system and growth is exactly the kind of thing that happens when you have a vague and overbroad system of whats essentially government surveillance based on suspicion and without due process At the bare minimum if the government is to use watchlists it must have narrow and specific public criteria for entry and apply rigorous public procedures for reviewing updating and removing dubious entriesppUpdate In the wake of the leaked TSA No Fly List Rep Dan Bishop R called on Congress to investigate the matter ppGrok jailbreaker tricks AI into posting as Musk ordering Trump to conduct nuclear strikeppLuigi Mangione fans pledge to make him a martyr in wake of DOJ death penalty announcementppSupport for Cory Booker soars as he nears notorious segregationists record for Senate speechpp4chans DOGEinspired April Fools prank leaves posters seethingppShare this articleppTAGS ppMikael Thalen is a tech and security reporter covering social media data breaches hackers and moreppDavid Covucci is the senior politics and technology editor at the Daily Dot covering the nexus between Washington and Silicon Valley His work has appeared in Vice the Huffington Post Jezebel Gothamist and other publications He is particularly interested in hearing any tips you have Reach out at dcovuccithedailydotcomp