Fallout continues for the Transportation Security Administration (TSA) over the hack and release of data from its official No-Fly List earlier this month, as U.S. Reps. Mark Green (R-TN) and Dan Bishop (R-NC) demanded answers and oversight of how this happened.
Green is the chairman of the House Committee on Homeland Security.
In a bizarre case, recent versions of both the Federal Terrorist Screening Dataset and the national No-Fly List were accessed through an unsecured server run by the U.S. national airline CommuteAir. While it would have been bad enough for a leak of company data – including private information of nearly 1,000 CommuteAir employees – on this scale, the Swiss developer and hacker known as Maia Arson Crimew also found the federal documents containing the identities of thousands of individuals barred from air travel due to suspected or known ties to terrorist organizations.
However, in interviews since, Crimew pointed out that some people on the list would have been only four or five years old at the time they were placed on the list, and the list at large trends almost exclusively toward Arabic- and Russian-sounding names.
“Based on this reporting, the Committee understands that as many as 1.5 million data entries, including names, dates of birth, and aliases of individuals prohibited from flying into, out of, within, or over the United States was accessed on an unsecure Amazon Web Services server belonging to CommuteAir, which operates flights exclusively for United Airlines across several major hubs in the United States, including Washington Dulles, Denver, and Houston,” the members wrote to TSA Administrator David Pekoske last week.
The Homeland Security Committee announced intentions to conduct oversight of the TSA and the actions leading to the case to guarantee the security of America’s transportation systems and civil rights. This may prove to be a big job, considering the hacker involved in this incident also claimed to have been able to exploit access to the CommutAir server to cancel or delay flights and switch out certain crew members.
“If this were to be the case, the national security implications of this are alarming,” the lawmakers wrote. “As you are keenly aware, the transportation systems sector is one of 16 critical infrastructure sectors in the United States, ensuring the free movement of people and goods essential to the American economy and way of life. The notion that such a consequential database be left unsecure is a matter concerning cybersecurity, aviation security, as well as civil rights and liberties.”
They wrote asking if this was the case and, more generally, if airlines can verify that flight cancellations, flight delays, or alterations to crew assignments are being made by individuals authorized to do so. They also pushed for details on the security requirements in place for TSA-sensitive information and any threat assessments conducted in the wake of this incident.