CommuteAir

History

2023: Employee database and passenger blacklist leak

In mid-January 2023, a Swiss information security researcher discovered an unprotected server that was left publicly available on the Internet. It revealed a huge amount of customer data by the US national airline CommuteAir, including private information about almost 1,000 employees.

A server analysis found a text file called "NoFly.csv," a reference to a subset of individuals in a terrorist screening database who are banned from air travel because of suspicions or known links to terrorist organizations. According to the researcher, the list totaled more than 1.5 million records. The data included first and last names as well as dates of birth. The list also includes numerous pseudonyms, so the number of unique faces is much less than 1.5 million.

US airline accidentally reveals database of employees and hundreds of thousands banned from flying by authorities

The list includes several famous personalities, including the recently released Russian arms dealer Viktor Booth, as well as more than 16 potential pseudonyms for him. Pseudonyms included various, common spellings of his surname and other variations of his name, as well as various birthdays. Many birthdays coincided with But registered date of birth. Many of the names on the list were of Arabic or Middle Eastern origin, although the list also included Hispanic and Anglican names.

In a statement to the Daily Dot, the U.S. Transportation Security Administration (TSA) said it was aware of a potential cybersecurity incident with CommuteAir and was investigating in coordination with federal partners. CommuteAir said the open infrastructure, which the company described as a 'development server', was being used for testing purposes. CommuteAir also confirmed the legitimacy of the data, saying that it was a version of the "federal list prohibited from flying" compiled in 2019, in addition, information was available about some CommuteAir employees and flights

In their commentary for the Daily Dot, forensic experts said they made the discovery while searching for Jenkins servers on specialist search engine Shodan. Jenkins provides automation servers to help build, test, and deploy software. Shodan is used in the cybersecurity community to find servers that are publicly available on the Internet.

The server also stored passport numbers, addresses and phone numbers of about 900 company employees, according to the Daily Dot. User credentials for more than 40 Amazon S3 buckets and CommuteAir servers have also been revealed. The terrorist screening Data Base, according to the FBI, is a list of individuals that are shared by government departments to prevent such intelligence failures that took place before September 11, 2001. Inside this base is a narrower and more tightly controlled list of no-fly individuals. Individuals included in the terrorism screening database may be subject to certain restrictions and additional security checks may be conducted. Those on the no-fly list are prohibited from boarding planes in the United States. While the list is highly classified as of January 23, 2023, and rarely leaked, it is not considered an over-classified document due to the number of agencies and individuals who need access to it.^[1]

Notes