On Jan. 19, 2023, a Swiss hacker leaked over 1.5 million names that were the 2019 No Fly List, a document that was kept on an unprotected server. But why has Pokémon been mentioned?

The list in question details the names of criminals or otherwise suspicious individuals who have been deemed unfit for an airplane due to terrorist concerns. The Transport Security Administration (TSA) oversees the upkeep of this list and supposedly the classified nature of the document. That is until a Swiss hacker got her hands on it. The Swiss hacker, who goes by the alias “maia arson crimew,” claims she was simply bored before she came upon the list. She states she was browsing a server search engine, looking for unprotected servers and any harmless goodies they may contain. She finally came across a server that belonged to CommuteAir, a regional U.S. airline. 

While she was digging for any interesting information from this server, she fell upon a few files named “noflycomparison” and “noflycomparisonv2” which are potentially used internally to check if any person from the No Fly List has made it onto airlines. Crimew also came across a file titled “NoFly.csv,” with 1.56 million lines of data. Upon further inspection, each of these lines contained classified names that the TSA had meticulously put together after the individuals were screened and booted from U.S. air travel. As she realized what she uncovered, she began to write a post for her blog, maia.crimew.gay. This is where she posted a picture of a Sprigatito Pokémon plush, lovingly named Bingle, in front of the classified document. The TSA later made a statement on the breach of security.

“[The agency is] aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners,” The TSA commented to the DailyDot.

The airline confirmed that the exposed server was being used for testing purposes, and reassured its customers that no other personal information was leaked. A few of their crew’s information did happen upon the server in a separate file, but crimew did not leak any of that sensitive information. She focused only on the federal list. Crimew states that she will give out the 2019 list to any journalist, researcher or human rights activist who is curious, as she believes that it is in the public interest for it to be available upon request. Crimew later tweeted that Congress had launched an investigation into the leak, to which she followed up with the statement: “but I stay silly :3”