Cyber Incident Victim: CommuteAir
Date:
Jan 2023
Location:
United States of America
Summary
A hacker breached a regional airline's systems by exploiting an unchanged default server password, accessing a 2019 version of the TSA No Fly List and employee personally identifiable information. The perpetrator claimed they could have manipulated flight operations or forged employee credentials but opted not to probe further, citing boredom as motivation. The airline took the compromised server offline, initiated an investigation, and reported the incident to federal cybersecurity authorities, asserting no customer data was exposed. While the TSA confirmed its investigation into the breach, no connection was found to a separate nationwide aviation system outage caused by human error. The hacker, previously indicted for similar cybercrimes, publicly disclosed the intrusion through a blog post and communications with media.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early January 2023, a hacker using the alias "maia arson crimew" claimed unauthorized access to systems at regional airline CommuteAir, citing boredom as their primary motivation. The hacker detailed the breach in a blog post titled "How to Completely Own an Airline in 3 Easy Steps" and communicated with The Washington Times via email, asserting they obtained a 2019 version of the Transportation Security Administration's No Fly List along with personally identifiable information of CommuteAir employees. According to the hacker, the breach occurred because CommuteAir failed to change a default password on one of its servers, enabling access to sensitive data. While the hacker suggested they could have potentially canceled flights, delayed operations, or created physical employee credentials through airline systems, they clarified they did not deeply probe these capabilities due to system complexity and operational risks. The hacker explicitly denied involvement in the unrelated January 10 FAA system failure that grounded U.S. flights nationwide, which authorities attributed to accidental file deletion by contractors. CommuteAir confirmed the server compromise but stated it could not validate all of the hacker's claims, particularly regarding flight disruption capabilities.
CommuteAir responded by immediately taking the affected server offline and launching an internal investigation to determine the scope of data exposure. The airline reported the incident to the Cybersecurity and Infrastructure Security Agency (CISA) and notified the TSA, which opened a coordinated investigation with federal partners. According to CommuteAir spokesman Erik Kane, initial findings indicated no customer data was compromised, though employee data and the outdated No Fly List were confirmed as exposed. The 2019 No Fly List accessed by the hacker contained only names and birthdates without nationality or country-of-origin information. The incident drew attention to broader transportation sector vulnerabilities, occurring concurrently with the FAA's technical disruption. Meanwhile, the hacker's background resurfaced in media reports, noting their 2021 indictment by a Washington federal grand jury for computer intrusion and identity theft involving multiple organizations. U.S. Attorney's Office representatives declined to comment on potential connections between the CommuteAir breach and the hacker's prior alleged activities.