Congress to Investigate TSA No-Fly List Breach by Transgender Hacker
Republican lawmaker Dan Bishop (R-NC) has indicated that Congress will investigate the recent leak of the TSA no-fly list by a transgender hacker.
CNN reports that an investigation into a potential cybersecurity incident has been opened by the TSA after a hacker claimed to have gained access to the organization’s no-fly list of known or suspected terrorists. The information was discovered on the unprotected computer server of a regional airline named CommuteAir.
Rep. Dan Bishop, who sits on the House Homeland Security Committee, said that Congress “will be coming for answers” about what he considers as a result of the incident, which has raised questions about the security of the TSA’s systems. Bishop referred to the fiasco as a “a civil liberties nightmare.”
In a blog post, the hacker, a Swiss cybersecurity researcher who goes by the handle “maia arson crimew,” and whose Twitter bio reads: “Indicted hacktivist/security researcher, artist, mentally ill enby polyam trans lesbian anarchist kitten (θΔ), 23 years old,” claimed to have discovered the no-fly list while searching airlines for exposed servers and databases.
Crimew, the hacker behind the leak, claimed that while investigating an exposed CommuteAir server, he came across the no-fly list. By taking advantage of the server’s default settings, he claimed that “pretty much no skill required” was needed for the incident and that he “owned them completely in less than a day.”
The regional airline acknowledged the incident and stated that the hacker had accessed “an outdated 2019 version of the federal no-fly list,” which contained first and last names as well as dates of birth. The airline made sure to point out that it wasn’t the entire Terrorist Screening Database — which isn’t made available to airlines.
The TSA no-fly list is a subset of individuals in the Terrorist Screening Database, also known as “the watchlist,” which the FBI says “are known to be or reasonably suspected of being involved of terrorist activities.” Known or suspected terrorists are barred from taking flights into or within the US using the no-fly list.
Cybersecurity incidents are not new to the aviation sector. In recent years, hackers have targeted airlines in an effort to steal personal information, obstruct flights, or access sensitive data. The incident involving CommuteAir brings to light the ongoing difficulties the sector faces in protecting passengers’ data and securing its systems.