The story began in April when researchers Ian Carroll and Sam Curry were exploring a third-party website called FlyCASS. This vendor provides smaller airlines with access to the TSA’s Known Crewmember (KCM) and Cockpit Access Security System (CASS) databases. While testing the site’s login page, they noticed a telltale MySQL…