The Transportation Security Administration said it was investigating a “potential cybersecurity incident” after a hacker claimed to access an older version of the agency’s no-fly list of known or suspected terrorists.
“TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” TSA said in a statement to CNN.
The data was sitting on the public internet in an unsecured computer server hosted by CommuteAir, a regional airline based in Ohio, according to the hacker claiming the discovery.
The hacker, who also describes herself as a cybersecurity researcher, told CNN she notified CommuteAir of the data exposure.
CommuteAir said in a statement that the data accessed by the hacker was “an outdated 2019 version of the federal no-fly list” that included names and birthdates.
CommuteAir, which exclusively operates 50-seat regional flights for United Airlines from Washington Dulles, Houston and Denver hubs, said it took the affected computer server offline after a “member of the security research community” had contacted the airline.
The no-fly list is a set of known, or suspected, terrorists, who are barred from flying to or in the US. The screening program grew out of the September 11, 2001, terrorist attacks and involves airlines comparing their passenger records with federal data to keep dangerous people off planes.
The Daily Dot, a tech news outlet, first reported on the incident.
In a memo to current and former CommuteAir employees obtained by CNN, the airline also said it discovered a data breach in November in which an “unauthorized party” accessed personal information held by the airline, including names, birthdays and the last four digits of Social Security numbers.
“We are … working closely with law enforcement to ensure the incident is properly addressed,” CommuteAir said in the memo.
In a filing with Maine’s attorney general Tuesday, CommuteAir said that the exposure of the no-fly List was a separate incident from “the November 2022 data breach from a hacker.”
The hacker and security researcher claiming to have accessed the no-fly list data says she is 23 years old and based in Switzerland.
“It should never be this easy to just completely (breach) an entire airline,” the hacker, who goes by the name maia arson crimew, told CNN. She shared samples of the data to support her claim. The list included names of known or suspected terrorists and their birthdays, including that of convicted Russian arms dealer Viktor Bout, whom the Biden administration recently sent back to Russia in a prisoner exchange for WNBA star Brittney Griner.
The Swiss hacker says she used to go by the name Tillie Kottmann. A person by that name was indicted by a US grand jury in 2021 for allegedly being part of a conspiracy that hacked dozens of companies and government organizations and posted stolen data online.
The hacker has often claimed to be exposing overly broad surveillance programs. She was allegedly part of a group of hackers that breached US security camera maker Verkada in 2021 and reportedly accessed live feeds of thousands of the company’s cameras in hospitals and prisons.
This story has been updated with additional developments.
CNN’s Gregory Wallace and Andrea Cambron contributed to this report.