A US no-fly list with over 1.5 million banned flier records and over 250,000 “select” ones has been shared publicly on a hacking forum.

BleepingComputer has confirmed that the listing is the same TSA No Fly listing that was recently discovered on an unsecured CommuteAir server.

The no-fly list made public

This month, Swiss hacker Maia Arson Crimew (formerly Tillie Kottmann) came across a misconfigured AWS server containing the TSA’s no-fly list, while reported for the first time through daily item journalist Mikael Thalen.

The server in question belonged to Ohio-based airline CommuteAir. Although steps were taken earlier to fix the leak, the No Fly listing still surfaced online on January 26 in a publicly available hacking forum:

We have verified with Thalen and another source that the lists posted on the forum are the same no-fly and select lists that were recently discovered on the CommuteAir server.

BleepingComputer reviewed part of these lists, provided as two CSV files named “NOFLY” and “SELECTEE”. This last list probably names some of the passengers who suffer a Secondary Security Screening Selection (SSSS) at airports on a flight to the United States

The no-fly spreadsheet posted on the forum contains 1,566,062 records and includes duplicates/spelling variations of some names. The ‘SELECTED’ list includes 251,169 records. The presence of duplicates and aliases in the list implies that the total number of exposed names is less than 1.5 million.

Both spreadsheets contain a person’s first name, last name, potential aliases, and date of birth. The lists, according to the hacker, are from the year 2019.

The list mentions the Russian arms dealer Viktor Bout as well as his 16 potential aliases, the daily item observed.

FBI CST (Terrorist Screening Center) is used by several federal agencies to manage and share consolidated information for counterterrorism purposes. The agency maintains a watch list called the Terrorist Screening Database, sometimes also referred to as “No Fly List.”

These databases are secret, although not “classified” and considered to be of a sensitive nature, given the vital role they play in assisting with national security and law enforcement tasks. Terrorists or reasonable suspects who pose a risk to national security are “nominated” for placement on the secret watch list at the government’s discretion.

The no-fly list is usually hidden from public view. The list is however referenced by private airlines and multiple agencies such as the Department of State, Department of Defense, Transportation Security Agency (TSA)and Customs and Border Protection (CBP) to verify whether a passenger is cleared to fly, inadmissible to the United States, or assess their risk for various other activities.

Researchers, including Bob Diachenko, have already discovered secret terrorist watch lists left uncovered on the internet, but these leaks were patched long before they received mainstream media coverage. This is the first time, however, that such a list has been shared on a publicly accessible website for anyone to see.

Interestingly, the list discovered in 2021 by Diachenko was rather detailed: containing fields such as names, gender, passport number as well as issuing country, TSC ID, watchlist ID, etc compared to the one published on the forum this month.

The US government is investigating

Although the security breach originated on an exposed AWS server owned by an airline, it sent shivers down the spine of the US government apparatus, with government officials and lawmakers investigating the matter.

The TSA investigated the cybersecurity incident.

“On January 27, the TSA issued a security directive for airports and airlines,” a TSA spokesperson told BleepingComputer in an updated statement.

“The Security Directive reinforces existing requirements for handling sensitive security information and personally identifiable information. We will continue to work with our partners to ensure they implement security requirements to protect systems and networks against cyberattacks.”

A source familiar with the matter told BleepingComputer that no TSA information systems were compromised in connection with the breach. Additionally, the federal agency has issued an industry security awareness message to all aircraft carriers to review their systems and take immediate action to ensure their files are protected.

In a statement shared with BleepingComputer, a CommuteAir spokesperson said:

“CommuteAir was notified by a member of the security research community who identified a misconfigured development server. The researcher accessed files uploaded to the server in July 2022 that included outdated 2019 versions of the Federal Lists no-fly and selection lists containing certain individuals’ names and dates of birth The lists were used to test our software-based compliance process for implementing federally mandated security requirements. Additionally, through the server, the researcher accessed a database containing personally identifiable information of CommuteAir employees. CommuteAir immediately took the affected server offline and initiated an investigation to determine the extent of access to data. To date, our investigation indicates that no customer data has been exposed. CommuteAir has reported the data exposure to Cybersecurity y and Infrastructure Security Agency and also informed its employees.

BleepingComputer has approached the FBI for comment.

US Congressman Dan Bishop with Homeland Security Committee Chairman Dr. Mark Green asked a series of vital questions to TSA Administrator David Peter Pekoske.

An important point to note is that more than just a data leak discovery, the incident may now become a matter of national security, given the claims made by the hacker:

“Additionally, the hacker claimed that he may have been able to exploit his access to the server to cancel or delay flights and even swap crew members. If this were to be the case, the national security implications would be alarming,” write the members of the US Homeland Security Committee in a letter dated January 26:

The transportation systems sector is one of 16 critical infrastructure sectors in the United States, the letter states. “The idea that such a large database is insecure is a matter of cybersecurity, aviation security, and civil rights and liberties.”

The hacker, maia arson crimew, previously known by pseudonyms removescape, anti-ownerand Tillie Kottmann, was previously indicted by a US grand jury for conspiracy, wire fraud and aggravated identity theft (PDF).

The hacker was once involved in the Verkada hackallowing him to gain unauthorized access to the security cameras of Tesla, Cloudflare, and the offices of various Verkada client organizations.