CommuteAir, which operates Embraer ERJ-145s for United Airlines, left the entire U.S. federal No Fly List on a server that was easily hacked.
While the original requirement to show ID at the airport was a political decision, in order to appear to be ‘doing something’ after TWA flight 800, the reason you have to show I.D. at airport security now is so that the government can compare you against its various watch list, from the No Fly List to various enhanced screening lists.
- If you didn’t have to be ID’d, you could fly under any name you wished. The government might be looking for Ayman al-Zawahiri, but he could just buy a ticket under a different name.
- The lists themselves are secret. They won’t tell you that you are on them. They may assign you a redress number to show that you’re not the Ayman al-Zawahiri they happen to be looking for but they won’t ever say that name was on the list.
- And people get on these lists by mistake, for instance because an FBI agent checked the wrong box on a form. Or they get on out of revenge, against people who refused to act as informants. It’s pre-crime profiling, a bureaucrat puts your name on the list and imposes a punishment without any due process or even proof you’ve actually done anything to warrant it.
Still, the list is considered both highly secret (but not classified) and crucial by the federal government. But it’s also given to airlines.
Analysis of the server resulted in the discovery of a text file named “NoFly.csv,” a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations.
The list, according to crimew, appeared to have more than 1.5 million entries in total. The data included names as well as birth dates. It also included multiple aliases, placing the number of unique individuals at far less than 1.5 million.
On the list were several notable figures, including the recently freed Russian arms dealer Viktor Bout, alongside over 16 potential aliases for him. …Suspected members of the IRA, the Irish paramilitary organization, were also on the list. …Another individual, according to crimew, was listed as 8 years old based on their birth year.
While the larger Terrorism Screening Database was suspected to contain nearly two million names, the actual No Fly List which bans boarding aircraft in the United States, has been believed to be much smaller (perhaps 100,000 – 200,000 names). CommuteAir says the data they hosted was the No Fly List, but the list they exposed is much larger than expected.
The compromised server also included personal information – passport numbers, addresses, and phone numbers – of about 900 CommuteAir employees.
The information was secured prior to the hack being revealed. The hacker explains how they did it.