Hacktivist found the list on an unsecured airline server, creating a blog post about how she discovered it

A frenzy began on TikTok over someone posting a photo of a Sprigatito plush held up against the U.S. no-fly list, inciting a congressional inquiry into the matter.

That someone holding the plush was 23-year-old Maia Arson Crimew, an indicted Swiss hacktivist who describes herself as a cybersecurity researcher, musician, DJ and “tiny kitten.” 

In an interview, Crimew said she found the list on an unsecured server belonging to CommuteAir, a regional airline operating out of Ohio. 

“For a few days I thought about whether or not I should in any way publish the list [itself]. [But] I decided not to fully publish it because it’s a long list full of names that could be used against people,” she said. “Not just in the way of naming and shaming, but also if this list gets in the hands of other intelligence agencies that are not in the U.S., they could further do harm to people in their country that are on the list.”

Leaking sensitive data on her blog is not a part of Crimew’s usual routine regarding unsecured data of public interest. Any other time, she has reached out to a journalist to pass the message on to the data owner, effectively alerting them of a security flaw. In this case, she wanted to write up a more technical review that included comedic elements.

“[I hack because] it’s, for me, important to show the world, first of all, how much stuff is out there that’s not secure, and then use that ability to point out how that is a flaw of capitalism at the end of the day. While at the same time, exposing surveillance, exposing corruption and exposing trade secrets that should be public,” Crimew said. “It’s also about showing just how much you can do as a single person, as a single entity, how much power you really have.”

Crimew says that despite the online clout, donations and followers, she is hoping to motivate others.

“I want [this] to be motivation, not just in hacking, but in general for activists to realize just how much power you have as a single person,” she reinforced, “But especially when we come together and we all do that work, that’s how we get things going.”

“It seems just negligent from the company,” says Henry Hebner, a senior computer programming major at Ohio State University who previously worked on apps as an intern at JP Morgan Chase. “As far as I can tell, what happened was there’s just a server that pretty much anyone had access to, they just needed to find the IP for it. Once someone found the IP, they had access to property files, and that allowed them to get more access. And then with the more access they just found [data] that shouldn’t be unsecured.”

“It’s been an embarrassing couple weeks for federal agencies,” said Joseph Schwieterman, a DePaul School for Public Service professor, as well as director of the Chaddick Institute for Metropolitan Development and president of Chicago’s Chapter of the Transportation Research Forum. “The mere fact that Social Security numbers have been shared widely is an inexcusable failure.” 

The CommuteAir server that hosted the no-fly list was operated by Amazon Web Services (AWS). According to the AWS website, they host over 7,500 government agency websites. 

“The way AWS does security is kind of a gray area because sometimes they’ll just push security back onto the people that are using their apps and then sometimes like the AWS will itself be secure,” said Hebner. “So I think [AWS is] only responsible for half of the security. AWS could clearly just say like, well, it’s not our fault. You didn’t implement [the security] correctly.”

Rep. Dan Bishop (R-NC) tweeted on January 21 about the leak, saying, “We’ll be coming for answers.” Rep. Bishop is a member of the Committee on Homeland Security. As of February 14, an official investigation has not been opened. However, Rep. Bishop and Rep. Mark Green (R-TN) sent a letter to the TSA inquiring about their cybersecurity.

Over the last 30 days, Crimew’s Twitter account has gained over 75,000 followers.

Header illustration by Madeline Smith