A copy of the no-fly list leaked from an unsecured commercial airline server, reports Motherboard. The No Fly List is an official list of persons who are prohibited from entering and leaving the United States on commercial flights.
As first reported by The Daily Dot, a Swiss hacker known as maia arson crimew discovered the list on an unsecured Jenkins server one night while digging into Shodan, a search engine that allows people to browse servers connected to the Internet.
“Like so many other of my hacks this story starts with me being bored and browsing shodan (or well, technically zoomeye, Chinese shodan), looking for exposed jenkins servers that may contain some interesting goods,”crimew wrote in a blog about the leak. “At this point I’ve probably clicked through about 20 boring exposed servers with very little of any interest, when I suddenly start seeing some familiar words. ‘ACARS,’ lots of mentions of ‘crew’ and so on. Lots of words I’ve heard before, most likely while binge watching Mentour Pilot YouTube videos. Jackpot. An exposed jenkins server belonging to CommuteAir.”
The server contained a large amount of data about the company CommuteAir, including private information about its employees. There was also a file containing a copy of the 2019 No Fly List. The list contains names and dates of birth and more than 1.5 million entries, but many of these are pseudonyms for the same person.
The United States has maintained a No Fly List for decades, but before 9/11 it was much smaller and contained only 16 people. After the terrorist attacks and the creation of the Department of Homeland Security, the list quickly expanded. The exact number of people on the list is unknown, but recent estimates put the total at somewhere between 47,000 and 81,000 people.
crimew told Motherboard that he wasn’t shocked to come across an unsecured copy of the blacklist. I’ve been digging into various jenkins [servers] for a while and there’s just so much to find,” they noted. “It was just a matter of time until I found something like this.”
CommuteAir said the leak happened because of a misconfigured development server. “The researcher accessed files including an outdated 2019 version of the federal no-fly list that included first and last name and date of birth,” it said. “Additionally, through information found on the server the researcher discovered access to a database containing personal identifiable information of CommuteAir employees. Based on our initial investigation, no customer data was exposed. CommuteAir immediately took the affected server offline and started an investigation to determine the extent of data access. CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees.”