>
The entire US “No Fly List” has been made public online by a Swiss hacker who reportedly found three sensitive files stored on an insecure cloud storage server.
One of the files contains the information of more than 1.5 million entries on the list, which relates to individuals who are not allowed to travel to or from the US.
The data was found out of boredom, according to a blog post (opens in new tab) written by the hacker, known online as maia arson crimew, who saw her searching Shodan for exposed Jenkins servers.
No flight list violation
Digging around the exposed CommuteAir server resulted in the discovery of three .csv files: employee_information.csv, nofly.csv, and selectee.csv. Arguably the most notable, and the one that has caused the most commotion in recent days, is the nofly.csv, which allegedly contains the information of flyers banned in the US.
The nofly.csv file was nearly 80 MB in size and contained more than 1.56 million rows of data related to persons banned from flying within the US, although a large portion of these entries have been reported to contain aliases.
Aliases are used to avoid detection by such lists and may involve first and last name changes, including common misspellings, and date of birth changes.
One such example, according to Daily point (opens in new tab) who first reported on the matter includes recently released Russian arms dealer Viktor Bout, with at least 16 related aliases.
In total, it was estimated in 2016 that there were 81,000 individual people on the US No Fly List, accounting for multiple aliases per person.
Regarding the data released in 2023, crimew said: “I just think it’s crazy how big that Terrorism Screening Database is and yet there are still very clear trends towards almost exclusively Arabic and Russian sounding names in the million entries”.
In addition to this list, crimew also released a list of personally identifiable information of CommuteAir’s crew members, including full names, addresses, phone numbers, passport numbers, pilot license numbers and more.
Erik Kane, corporate communications manager for CommuteAir, confirmed that the data was legitimate and came from a 2019 version of the federal No Fly List, also acknowledging the exposure of employee data. Kane said: “We have filed a report with the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”
Tech Radar Pro the company has asked for further comment.