The US No Fly List is a list of individuals who are barred from traveling to or from the United States. Recently, a Swiss hacker known as maia arson crimew discovered three sensitive files containing data related to this list stored on an unsecured cloud storage server. The files contained information of more than 1.5 million individuals and were almost 80MB in size. Additionally, the hacker uncovered a list with personally identifiable information of CommuteAir’s staff members. Here are the details…
US No Fly List of 1.5 million individuals exposed in cyber attack
The US “No Fly List” has been exposed online by a Swiss hacker who reportedly found three sensitive files stored on an unsecured cloud storage server. The hacker, known online as maia arson crimew, discovered the data while searching for exposed Jenkins servers on Shodan. The files contained information of more than 1.5 million individuals who have been barred from traveling to or from the US.
According to a blog post written by the hacker, the data was found out of boredom. Digging around the exposed CommuteAir server resulted in the discovery of three .csv files: employee_information.csv, nofly.csv, and selectee.csv. The nofly.csv file was the most notable, and contained the information of flyers banned in the US. It was almost 80MB in size and contained more than 1.56 million rows of data related to individuals who must not fly within the US. However, it has been reported that a large proportion of these entries include aliases.
Aliases are used in an effort to avoid detection by such lists, and can involve changes to the first name and surname, including common misspellings, and changes to birth dates. One example is Russian arms dealer Viktor Bout, who has at least 16 related aliases.
In 2016, it was estimated that there were 81,000 individual people on the US No Fly List, taking into account multiple aliases per person. With regards to the data exposed in 2023, crimew said: “It’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries”.
Besides this list, crimew also exposed a list containing personally identifiable information of CommuteAir’s crew members, including full names, addresses, phone numbers, passport numbers, pilot license numbers, and more. Erik Kane, corporate communications manager for CommuteAir, confirmed that the data was legitimate and came from a 2019 version of the federal No Fly List, also recognizing the exposure of staff data. Kane said: “We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”