appears that the federal government’s good name is being harmed by the actions of a hacker in Switzerland, which is only the latest blow to law enforcement’s once stellar reputation for security.
On Thursday, a security researcher published a blog post detailing how she allegedly easily hacked an unsecured server and gained access to the United States government’s Terrorist Screening Database and the contentious “No Fly List,” which contains the names of hundreds of thousands of people suspected of ties to terrorism or other illegal activities.
The server was apparently under the control of CommuteAir, the national airline of the United States, and her hacking led her to the government files.
The hacker, known as “maia arson crimew,” stated in her blog post that she had discovered the names and schedules of CommuteAir’s crews as well as security credentials that would allow her to access the Transportation Safety Administration’s (TSA) No Fly list within a half hour.
According to the Daily Dot, the list she discovered contained more than 1.5 million names, as well as lists of aliases under which they may travel and names that the federal government had designated as prohibited from flying in the United States.
“On the list were several notable figures, including the recently freed Russian arms dealer Viktor Bout, alongside over 16 potential aliases for him,” the Daily Dot added.
The list had a huge number of people with Arab and Middle Eastern-sounding names, as well as suspected members of the Irish paramilitary force, the IRA, and other terrorists. One individual was eight years old according to the corresponding date of birth associated with the name.
“It’s just crazy to me how big that Terrorism Screening Database is and yet there are still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries,” crimew told Daily Dot.
The TSA simply stated that they are “aware of a potential cybersecurity incident” with the airline’s servers, and the FBI made no comment on the incident.
CommuteAir, for its part, stated that the server breached was not a working server, but rather a “development server” used to store training materials and programs.
CommuteAir also stated that the server, which has since been taken offline, contained no customer information.
The airline also stated that the No Fly list discovered by the hacker was out of date.
“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane told Daily Dot.
“In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”
Whether the list crimew exposed was “outdated” or not, though, is entirely beside the point. The fact that the hacker was able to find such sensitive information and access points that would allow her to conduct further breaches is the real problem.
It shows that far too many companies with access to government servers and information do not take their computer security seriously enough, a fact that makes us all vulnerable to attack.