- A Swiss hacker says she found a copy of the FBI's "no-fly" list on an unsecured server.
- The 2019 list, with over 1.5 million entries, includes an overwhelming number of Muslim passengers.
- The server, maintained by CommuteAir, also held private employee data, such as passport numbers.
The FBI Terrorism Screening Center's secret "no-fly" list just got a lot less mysterious thanks to a bored Swiss hacker exploring unsecured servers in her free time.
Maia arson crimew, described by the Department of Justice as a "prolific" hacker in an unrelated indictment, said she was clicking around on an online search engine full of unprotected servers on January 12 when she accessed one maintained by a little-known airline and found the highly sensitive documents, along with what she called a "jackpot" of other information.
The Daily Dot first reported on Thursday that the server, hosted by CommuteAir, a regional airline that partners with United Airlines to form United Express routes, contained among its files a redacted 2019 version of the anti-terrorism "no-fly" list.
The file "NoFly.csv," found by crimew, contains over 1.5 million entries including names and dates of birth of people the FBI identifies as "known or suspected terrorists," who are prevented from boarding aircraft "when flying within, to, from and over the United States." A second file, titled "selectee.csv" contains 251,169 entries of names of people who are subject to additional screening while flying. The lists contained alternate spellings and aliases for included individuals, making the total number of unique entries lower than the total number of included names.
A spokesperson for the airline confirmed the authenticity of the files to Insider and said personally identifiable information belonging to employees was also found in the hack, but declined to answer detailed questions about the hack itself.
"Based on our initial investigation, no customer data was exposed," Erik Kane, a spokesperson for CommuteAir, said in a statement to Insider. "CommuteAir immediately took the affected server offline and started an investigation to determine the extent of data access. CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees."
The Transportation Security Administration confirmed to Insider that it had been made aware of the incident.
"We are investigating in coordination with our federal partners," Lorie Dankers, a spokesperson for the TSA, said in a statement to Insider. The TSA, which enforces the "no-fly" list, declined to answer detailed questions about the list and its leak, referring Insider to the FBI — the federal agency that maintains the list.
In a statement emailed to Insider, a representative for the FBI would neither confirm nor deny any individual names on the list, but said individuals are included "in a manner consistent with protecting privacy and civil liberties."
Easily accessible secrets
Crimew told Insider it took just minutes for her to access the server and find credentials that allowed her to see the database. She said she was exploring the servers as a way to combat boredom while sitting alone and didn't intend to discover something with US national security implications.
While browsing files in the company's server, "it dawned on me just how heavily I had already owned them within just half an hour or so," crimew wrote in a blog post detailing the hack. The credentials she found, which gave her access to the files, would also allow her access to internal interfaces that controlled refueling, canceling and updating flights, and swapping out crew members — if she were so inclined, she wrote.
"It's disturbing to see such information revealed to people that are not with the need-to-know for that," Kenneth Gray, a retired FBI agent who served for 24 years, told Insider. "There's a number of reasons why a person on that list may not actually be a terrorist. But the thing is, there are also people on there that are suspected of being a terrorist or are known to be a terrorist. And so, if that information is released, then the public becomes aware of ongoing investigations. And those international terrorism cases, those ongoing investigations are normally classified. And so revealing this kind of information could lead to those individuals becoming aware that they are under investigation."
The massive files, reviewed by Insider, contain over a dozen aliases for Viktor Bout, the Russian "Merchant of Death" who was traded in a prisoner swap for basketball player Brittney Griner, as well as a large number of names of people suspected of organized crime in Ireland. However, crimew said there was a notable trend among the names.
"Looking at the files, it just confirmed a lot of the things me, and probably everyone else, kind of suspected in terms of what biases are in that list," crimew told Insider. "Just scrolling through it, you will see almost every name is Middle Eastern."
Edward Hasbrouck, an author and human rights advocate, wrote in his analysis of the documents that the lists "confirm the TSA's (1) Islamophobia, (2) overconfidence in the certainty of its pre-crime predictions, and (3) mission creep."
"The most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-seeming names," Hasbrouck wrote in an essay published Friday by Papers, Please, an advocacy group dedicated to addressing creeping identity-based national travel rules.
However, the FBI maintains its procedures for including people on the list are not indicative of bias.
"Individuals are included on the watchlist when there is reasonable suspicion to believe that a person is a known or suspected terrorist," an FBI spokesperson said in a statement to Insider. "Individuals are not watchlisted based solely on race, ethnicity, national origin, religious affiliation, or any First Amendment-protected activities such as free speech, the exercise of religion, freedom of press, freedom of peaceful assembly, and petitioning the government for redress of grievances."
Though the recent news about the list has prompted a resurgence of accusations of Islamophobia levied against the FBI, the "no-fly" list has long faced criticism and legal challenges from civil rights groups over its targeting of Muslim and Middle Eastern people.
The targeting of people from Arab nations was not limited to federal restrictions on travel, as the entire nation faced a spike in anti-Muslim discrimination and hate crimes across the country following the 9/11 attacks, according to the DOJ.
"It's no secret to anyone that the years following 9/11, measures that the government claimed were in the name of our national security wrongly, unfairly and discriminatorily impacted Muslims and people who appear to be Muslim," Hina Shamsi, director of the ACLU's National Security Project, told Insider. "That's the very definition of bias and it appears to be the case, the list that you have continues to reflect that bias and it just shows the need for reform and change is as urgent as it ever was."
'No-Fly' mission creep
The federal "no-fly" list was created under the George W. Bush administration, originally beginning as a small list of people prevented from flying on commercial flights due to specific threats. The list was formalized and vastly expanded in scope after the 9/11 terror attacks, when Al Qaeda-affiliated hijackers crashed commercial flights into the World Trade Center and Pentagon, killing 2,977 people.
"What you've got to remember is that the purpose of this list is part of the entire movement that tried to stop another 9/11 from happening," Gray told Insider. "In the case of 9/11, terrorists came into the country, some of the terrorists took flight lessons here in the country. Others came into the country to be the muscle on board the aircraft so that they can hijack the aircraft to turn them into weapons. And so the purpose of this is to stop another 9/11 from happening."
Inclusion on the list prevents people the FBI identifies who "may present a threat to civil aviation or national security" from boarding planes flying within, to, from, or over the United States. They do not need to have been charged or convicted of a crime to be included, just "reasonably suspected" of aiding or planning acts of terrorism.
"This was part of the US government's response to the tragedy of 9/11," Shamsi told Insider. "And from the beginning, we were gravely concerned about the civil liberties and rights impacts given how watchlists have been used in this country's history in the past. And, unfortunately, virtually all the things that we warned against have happened and are becoming entrenched."
She added: "What that means is that we've got a massive and ever-growing watchlisting system that can stigmatize people — including Americans — as known or suspected terrorists, based on secret standards, secret evidence, without a meaningful process to challenge government error and clear their names."
In the years since the original "no-fly" list was formed, it has gained official federal recognition and grown from just 16 individual names, according to the ACLU, to the 1,807,230 entries of names and aliases contained in the documents found by crimew.
"The ever-expanding scope of these lists are due to the revelations of people in the course of investigations," Gray told Insider. "And it couldn't help but expand because of the fact that more and more people become suspected, just through the course of their activities — which could be misinterpreted, for instance. There are many reasons why the list continues to expand."
Gray added that, with limited procedures for challenging a wrongful inclusion on the list, it's exceptionally difficult to get your name off if it has been incorrectly added.
"People who are on the no-fly list are denied the ability to be with family members at funerals, sickbeds, weddings, graduations, all of life's big and small events, because the ability to fly is necessary to the modern era," Shamsi told Insider. "The negative and harmful impact of wrongful placement on the no-fly lists is hard to overstate."
When looking at the list, crimew told Insider, "you start to notice just how young some of the people are." Among the hundreds of thousands of names on the list are the children of suspected terrorists including a child whose birth date indicates they would have been four years old or five years at the time they were included.
In the early 2000s, there were many reports of people being wrongly placed on the "no-fly" list, including then-Senator Ted Kennedy and peace activists Rebecca Gordon and Jan Adams. In 2006, the ACLU settled a federal suit over the list, prompting a release of its then 30,000 names and the TSA's creation of an ombudsman to oversee complaints.
Despite the existing ombudsman process, Shamsi and Gray said it is difficult to navigate and remains challenging to remove your name from the list, causing substantial trouble for people who have not committed an act of terrorism.
"What problem is this even trying to solve in the first place?" crimew told Insider. "I feel like this is just a very perverse outgrowth of the surveillance state. And not just in the US, this is a global trend."
Not the first hack
Crimew, a staunch self-described leftist and anti-capitalist, was indicted for conspiracy, wire fraud, and aggravated identity theft related to a previous hack in 2021. The DOJ alleges she and several co-conspirators "hacked dozens of companies and government entities and posted the private victim data of more than 100 entities on the web."
The outcome of the 2021 case is still pending, crimew told Insider. Though she hasn't been contacted by law enforcement in relation to the latest hack, she said she wouldn't be surprised that she had once again caught the attention of federal agencies.
"This will become the subject of a cybersecurity investigation looking into who is responsible," Gray told Insider. "The person who committed this hack, who got this information, may have done this for bragging rights, may have done this not with the intent of using this information for bad purposes. However, that information, since it's out in the public now, in the public domain, it may eventually cause problems. This could be of potential use for a terrorist group, even if that was not the original intent for the hack."
For that reason, crime told Insider said she chose to release the list through journalists and academic sources instead of freely publishing it on her blog.
"It's just a whole lot of personally identifiable information that could be used against people, especially in the hands of non-US intelligence agencies," crimew wrote in a statement to Insider. For that reason, she said she chose to release the list through journalists and academic sources instead of freely publishing it on her blog. "I just feel iffy about publicly releasing a list full of people some government entity considers 'bad.' (Not that the US doesn't use it against people, it just doesn't need to get in the hands of even more people doing harm)."
CommuteAir faced a similar data breach in November, CNN reported, after an "unauthorized party" accessed information that included names, birthdates, and partial social security numbers held by the airline.
"I just hope they maybe learned their lesson the second time," crimew told Insider.
January 25, 2023: This story has been updated with additional comments and context from the FBI, TSA, ACLU, and a retired FBI agent.