The entire US “No Fly List” has been exposed online by a Swiss hacker who found three sensitive files stored on an insecure cloud storage server.
One file contains information on more than 1.5 million entries on the list, which covers individuals who have been banned from traveling to or from the United States.
Data was found out of boredom, according to A.S blog post (Opens in a new tab) It was written by the hacker, known online as maia arson crimew, who saw her searching Shodan for exposed Jenkins servers.
No breach of the fly’s list
Digging around the exposed CommuteAir server discovered three .csv files: employee_information.csv, nofly.csv, and selectee.csv. The most prominent of them, and arguably the one that has caused the most uproar in recent days, is nofly.csv, which has been reported to contain information about flyers that are banned in the United States.
The nofly.csv file was approximately 80MB in size, and contained more than 1.56 million rows of data regarding individuals who should not travel within the United States, although a significant proportion of those entries were reported to include pseudonyms.
Nicknames are used in an effort to avoid detection by these lists, and can include changes to first and last names, including common misspellings, and changes in dates of birth.
One such example, according to daily point (Opens in a new tab) that reported the matter for the first time, including the recently released Russian arms dealer, Viktor Bout, with at least 16 associated pseudonyms.
Overall, it is estimated in 2016 that there were 81,000 individuals on the US no-fly list, factoring in each person’s multiple aliases.
Regarding data disclosed in 2023, Crimew said: “It’s crazy to me how huge the database of terrorism checks is, yet there are still very clear trends towards almost exclusively Arabic and Russian names across the million entries.”
Along with this list, Crimew also disclosed a list containing personally identifiable information for CommuteAir crew members, including full names, addresses, phone numbers, passport numbers, pilot’s license numbers, and more.
Erik Kane, CommuteAir’s director of corporate communications, confirmed that the data was legitimate and came from the 2019 version of the federal no-fly list, while also acknowledging that employee data was exposed. “We have sent a notification to the Cybersecurity and Infrastructure Security Agency and are continuing to fully investigate,” Kane said.
TechRadar Pro I asked the company for further comments on the matter.