House Republicans will be investigating the Transportation Security Administration to work out how a prolific Swiss hacker who identifies as a “tiny kitten” was able to obtain over a million entries from the No-Fly List, The Spectator has learned. The hacker, a twenty-three-year-old who goes by Maia Arson Crimew, was able to access a 2019 version of the list after what she described as just a few hours of hacking.
Following the news of the hack, Representative Dan Bishop of North Carolina, who serves on the Homeland Security Committee, immediately suggested that the new House GOP majority planned to use the full weight of its oversight powers to learn how this data was left so exposed — and to determine the extent to which Americans’ national security and personal liberty were compromised.
The entire US no-fly list – with 1.5 million+ entries – was found on an unsecured server by a Swiss hacker.
Besides the fact that the list is a civil liberties nightmare, how was this info so easily accessible?
We’ll be coming for answers. https://t.co/9sN2AhucnM
— Rep. Dan Bishop (@RepDanBishop) January 21, 2023
In a letter sent this morning to TSA administrator David Pekoske, and obtained exclusively by The Spectator, Bishop — and Homeland Security chairman Representative Mark Green — outlined a series of questions about the “alarming” hack, which the members call “a matter concerning cybersecurity, aviation security, as well as civil rights and liberties.”
While the Republicans sit on the committee that oversees TSA, they wrote that they were unaware of the massive data breach until they read about it in the media. “It is incumbent upon the members of the committee on Homeland Security to conduct necessary oversight to ensure threats to Americans’ transportation systems and civil rights and liberties are taken seriously,” they warned.
Crimew, who was previously known as Tillie Kottmann and describes herself as a “mentally ill enby polyam trans lesbian anarchist kitten,” boasted about her successful hack in terms bordering on the flippant at times, Bishop and Green say that the hack is no laughing matter. Crimew claimed that she “may have been able to exploit access to the server to cancel or delay flights and even switch out crew members.” She also bragged to the Record that she “had access to pretty much all their infrastructure in some way.”
The materials Crimew obtained include a 2019 version of the Federal Terrorist Screening Dataset, as well as that year’s No-Fly List. The hacker has not publicly released the entire data set, but did name several individuals, including notorious Russian arms dealer Viktor Bout, on it as proof of its authenticity.
The fact that the No-Fly List contained over a million names, including Bout’s and some members of the Irish Republican Army, prompted consternation from across the political spectrum. Bishop told me that “the No-Fly list has ballooned to an absurdly high number of people. The civil rights abuses of the list have been well-documented, and these are only exacerbated by this hack.” The American Civil Liberties Union echoed Bishop’s criticisms from the left.
Among the questions the Republicans want Pekoske to answer — by February 8 — are when the TSA learned of the hack, whether there were instances of unauthorized individuals canceling flights or changing crew member assignments, and what threat assessments it has conducted in the wake of the breach.
The hack itself shows how vulnerable flight data is. In a blog posted creatively titled “how to completely own an airline in 3 easy steps,” Crimew explained how she both “owned” CommuteAir “and grab[bed] the TSA nofly list along the way.”
After a few hours, she “had found pretty much all PII [personally identifiable information] imaginable for each of their crew members. full names, addresses, phone numbers, passport numbers, pilot’s license numbers, when their next linecheck is due and much more.”
In addition to accessing the private information of flight crews, Crimew “had trip sheets for every flight, the potential to access every flight plan ever, a whole bunch of image attachments to bookings for reimbursement flights containing yet again more PII, airplane maintenance data, you name it. i had owned them completely in less than a day, with pretty much no skill required.”
Crimew describes her shock at finding the No-Fly List itself as follows: “holy shit, we actually have the nofly list. holy fucking bingle. what?! :3” Lawmakers are much less amused, and much less likely to use emojis, in expressing their anger.
“Whether you’re a Swiss hacker or a Mexican drug lord, you know that under Secretary Mayorkas’s so-called leadership, the United States is completely unsecured,” Mississippi representative Mike Ezell told me. TSA is under Alejandro Mayorkas’s leadership, and Republicans like Ezell have been fiercely critical of the embattled Homeland Security secretary.
The push by Representatives Bishop and Green for TSA accountability comes at an awkward time for the broader Biden administration, which had spent the Christmas season scrambling to address thousands of unrelated flight cancellations and criticism that its transportation secretary, Pete Buttigieg, is unprepared — or uninterested — in doing his job.
“There’s no substitute for experience, which he obviously does not have,” Indiana congressman Greg Pence told me. Representative Tim Walberg, who represents Buttigieg’s new home state of Michigan, agreed, saying that Buttigieg is “fully unprepared for what he’s doing.”
Now that House Republicans have subpoena power, and no shortage of ire for Pekoske, Mayorkas and Buttigieg, this demand for answers by Bishop and Green is a sign of what’s to come. “This is only the beginning of our work fighting to bring accountability to the alphabet soup of federal agencies,” Bishop’s communications director Allie McCandless told me.
