It’s been a rough few weeks for the U.S. air industry and tech. First, Southwest Airlines was forced to cancel an astounding 16,700 holiday flights due, in part, to outdated scheduling software. Just weeks later the Federal Aviation Administration drastically had to ground all domestic flights because of a corrupted database file in a crucial safety system. Now, a regional airliner has reportedly inadvertently spilled the beans on the U.S.’ no-fly, terrorist watch list. And it’s a long list.
A Swiss hacker going by the name “maia arson crimew” claims they discovered the list on an unsecured server run by Michigan-based airliner CommuteAir. Buried in the server, which also included personal information of nearly 1,000 CommuteAir employees, was a file labelled, “NoFly.csv.” The file, first reported on by The Daily Dot, is reportedly in reference to a small subset of the U.S. government’s Terrorist Screening Database, maintained by the DOJ, FBI, and Terrorist Screening Centre (TSC). The 80mb exposed file from 2019, left publicly viewable on the open internet, included over 1.5 million entries. Those entries included the names and birthdates of people with suspected ties to terrorist organisations.
Gizmodo was unable to immediately verify the content of the files though their legitimacy was conferred in an email from CommuteAir.
Revelation of the exposed database drew immediate criticism from civil liberties organisations.
“We have fundamental issues with watchlisting given our long knowledge and experience of how it can be abused,” ACLU National Security Project Director Hina Shamsi told Gizmodo. “There’s little or no public evidence that a system like this is even effective, or at what cost to individual liberties.”
“Throughout the last 20 years, the U.S. citizens and residents we’ve seen targeted for watchlisting are disproportionately Muslim and those of Arab, Middle Eastern, or South Asian descent, and sometimes it’s people who dissent or have what are seen as unpopular views,” Shamsi added. “The categories of people watchlisted seem ever-expanding, never constricting.”
Speaking to that point, the hacker says the no-fly list included many names of apparent Middle Eastern or Arabic origin, along with other high profile names like Russian arms dealer Viktor Bout, known as “The Merchant of Death,” who was recently freed in exchange for WNBA star Brittney Griner. Names associated with the Irish paramilitary organisation the IRA were also allegedly included on the list, as was an individual described as just eight years old. In some cases, named figures had multiple aliases which served to inflate the 1.5 million figure. The Russian arms dealer, for example, reportedly had 16 aliases associated with him.
In addition to the no-fly list, the unsecured CommuteAir server reportedly also included address, passport numbers, and phone numbers on about 900 of its employees.
CommuteAir confirmed the legitimacy of the database which it described as a “misconfigured development server.” The airline said it has since taken the server offline and reported the data exposure to the Cybersecurity and Infrastructure Security Agency.
“The researcher accessed files including an outdated 2019 version of the federal no-fly list that included first and last name and date of birth,” CommuteAir told Gizmodo. “Additionally, through information found on the server the researcher discovered access to a database containing personal identifiable information of CommuteAir employees.”
The FBI did not respond to Gizmodo’s request for comment.
“At a bare minimum, if the government is to use watchlists, it must institute narrow, specific and public criteria for placing individuals on them; apply rigorous public procedures for reviewing, updating, and removing erroneous entries; and limit the use of such lists such that they do not amount to what people experience them as: punishment without charge or trial,” Shamsi added.