She found the TSA data: the Swiss Tillie Kottmann.
Sven ZieglerEditor News
The Swiss hacker Tillie Kottmann (23) is again causing unrest in the USA. On Friday, she discovered the US Transportation Security Administration’s (TSA) no-fly list on an unsecured server. Around 1.5 million names of known terrorists and terrorist suspects were publicly available. Now US politicians are calling for an investigation.
Sandro Nafzger (37) is not surprised that such explosive data from US authorities will eventually end up online. “The entire aviation industry is not at the forefront when it comes to digital security,” says the CEO of Bug Bounty Switzerland. He and his team act as intermediaries for “ethical hackers” who look for vulnerabilities in their IT systems on behalf of companies and governments.
It is striking that sensitive data is being distributed more widely in list form. “Working with such lists between many parties is problematic and involves risks,” says the expert. “There would be the opportunity to work with protected IT systems including precisely regulated access authorizations. In addition, IT systems should be continuously checked for security gaps so that such problems can be remedied proactively.”
List shows grievance
Nafzger looked at Kottmann’s approach and came to the conclusion: “The whole hack is cleverly structured, but technically rather simple. This is not magic for a professional, as this is a typical IT hygiene problem as we see it every day.»
The incident is embarrassing for the airline concerned and the US authorities, says Nafzger. At the same time, it is also a wake-up call – not only for the USA. “We also observe such security gaps in Switzerland. Our ethical hackers find some highly critical vulnerabilities within a very short time. With the right skills, such attacks are very easy in many cases.”
Basic hygiene in terms of IT security is not done in many places.Sandro Nafzger, IT expert
The publication of the list is exciting for the public because it allows a look behind the scenes. At the same time, you realize that hundreds of thousands of people, including ordinary people, can end up on such lists. “For these people, this has drastic consequences.”
It is becoming apparent that dealing with IT security is difficult and that there is a huge backlog in many places, says the expert. “That also applies to Switzerland. Imagine an IT system of critical infrastructure being paralyzed – human lives are very quickly at stake.”
Eight year old on the list
Exact details about the content of the list are known only to a few. Kottmann does not make them publicly available. However, it is known that several well-known names are on the list, including the recently released Russian arms dealer Viktor But (56). In addition, suspected members of the IRA are listed. The goal of this outlawed military group is to drive the English out of Ireland.
As Kottmann told the “Daily Dot” portal, the list of 1.5 million entries also includes hundreds of aliases. The effective number of people on the list is therefore significantly smaller. Particularly extreme: According to his date of birth, one of the terrorist suspects on the list was just eight years old.
«Worst case» for prosecution
It’s not the first time the young woman has made waves in the States. The Swiss woman is said to be behind the hack of over 150,000 surveillance cameras in March 2021. In 2020, she hacked into Intel’s internal systems. She then published building instructions for computer processors on her former website. The website has since been confiscated by the FBI.
“If you get targeted by US law enforcement agencies, that’s the worst case scenario,” says attorney Martin Steiger, a specialist in data protection law and IT law. In the USA, such procedures are much tougher and stricter than in Switzerland, and the penalties are significantly higher. “In addition, the American authorities are very snappy. They try to get to the accused people worldwide, »says Steiger.
She can no longer simply leave Switzerland – she faces arrest and many years in prison.Martin Steiger, specialist in data protection law and IT law
Because of Kottmann’s activities, her apartment and that of her parents were searched by the Swiss police in 2021. In addition, the US authorities brought charges against the hacker, including charges of “conspiracy”.
Attorney Steiger says that just the pending lawsuit could bring Kottmann up to 20 years in prison. “The latest case could potentially result in another lawsuit and a higher penalty. Cumulative procedures are common in the United States. This means that the penalties are simply added together, »explains the lawyer.
Steiger cannot say how many years in prison Kottmann is threatened in total: “But one thing is clear: she cannot simply leave Switzerland. Otherwise she faces immediate arrest – and many years in prison.”