The US “No Fly” list has 1.5 million entries that have been made public. The US “No Fly List” was made publicly available online by a Swiss hacker who allegedly discovered three private documents on an insecure cloud storage server. The list contains more than 1.5 million entries of people who have been prohibited from entering or leaving the US are included in one of the files.
According to a blog post authored by the hacker identified online as maia arson crimew, who searched Shodan for unprotected Jenkins servers, the information was discovered out of boredom.
No Fly List Containing Private Data
The employee information.csv, nofly.csv, and selectee.csv files were located by searching the accessible CommuteAir server. The nofly.csv, which reportedly contains the data of fliers banned in the US, has garnered the most attention and sparked the most controversy recently. The nofly.csv file, which was about 80MB in size and had more than 1.56 million rows of information about people prohibited from flying within the US, has been claimed to have many aliases.
The usage of aliases, including frequent misspellings of first and last names and altered birth dates, is done in an effort to avoid being caught by such lists. One such example is the recently released Russian arms trader Viktor Bout, who has at least 16 linked aliases, according to Daily Dot, which broke the story.
Considering each person’s various aliases, it was estimated in 2016 that there were 81,000 distinct individuals on the US No Fly List.
“I find it simply remarkable how huge that Terrorism Screening Database has become and yet there are still very evident patterns towards almost mainly Arabic and Russian sounding names across the million entries,” crimew said in reference to the data revealed in 2023.
Along with this data, crimew also made public a list of the crew members of CommuteAir that contained personally identifying information, such as full names, residences, phone numbers, passport numbers, pilot license numbers, and more.
In addition to acknowledging the exposure of employee data, Erik Kane, corporate relations manager for CommuteAir, verified that the data was accurate and originated from a 2019 edition of the federal No Fly List. Kane added that we have notified the Cybersecurity and Infrastructure Security Agency and are investigating thoroughly.
Interestingly, it was presumed that the records were from 2022 because the list was uploaded to CommuteAir’s computers in that year. The only reason we know it is from 2019 is that the airline continues stating so in all of their press statements; before that, we assumed [it] was from 2022, says crimew.
Conclusion
According to today’s news, a Swiss hacker who allegedly discovered three critical files on an insecure cloud storage server discovered the US “No Fly List” online. The statement was made by Todd Carrol, VP of Cyber Operations and Chief Information Security Officer at CybelAngel. Todd had the following to say about the circumstance based on his 20 years of experience working in the FBI’s Counterterrorism, Cyber/Counterintelligence, and Intelligence Operations divisions.
It should be concerning that someone browses an open server and finds a large number of.csv files. In an effort to safeguard the public, very sensitive information was supplied to CommuteAir, which utterly failed. Also failing was the US government. They entrust airlines with data obtained from National Security intelligence in this situation and take no additional steps to ensure that the material is secure outside of questionnaires and confidence. Every day, CybelAngel assists its clients in determining whether the data shared with trusted partners and vendors is secure. Okay is good enough, according to both CommuteAir and the US Government, but in the end, it wasn’t.
