The US airline CommuteAir reportedly left a federal "No Fly List" on an unsecured server that was then accessed by a Swiss hacker.
The exclusive report comes from The Daily Dot that claims US airline CommuteAir left an unsecured server open that contained a large quantity of sensitive information. This server was accessed by a Swiss hacker that goes by "maia arson crimew" who wrote a blog post titled "how to completely own an airline in 3 easy steps," where they explained that they stumbled across the sensitive server by accident and through boredom.
Essentially, the hackers were just looking around through a search engine called Shodan when they discovered the server and a file titled "NoFly.csv". The file was opened, and the hackers discovered a 2019 version of a federal No Fly list that includes first and last names as well as dates of birth. The Daily Dot reports the list contained the names and aliases of many high-profile people, such as the recently-freed Russian arms dealer Viktor Bout and his 16 aliases.
CommuteAir Corporate Communications Manager Erik Kane told the Daily Dot that the server also contained sensitive information on CommuteAir employees and flight information, and the company has submitted a notification to the Cybersecurity and Infrastructure Security Agency while also conducting its own investigation.
The information contained in the exposed server was already looked over by researchers, and according to The Daily Dot, the no-fly list contained a heavy bias against Muslim people. Unfortunately, the hacker or CommuteAir didn't confirm the specific number of people on the 2019 no-fly list. However, according to Sen Dianne Feinstein, the 2016 no-fly list contained more than 81,000 people, which is at least something to go by.
It should be noted that in crimew's blogpost, they wrote they found lots of mentions of the word "crew" and other words they recognized after binge-watching "mentor pilot YouTube videos".
Erik Kane, a spokesperson for CommuteAir, said in a statement to Insider that based on initial internal investigations, no customer data was exposed and that CommuteAir has since taken the exposed server offline. Furthermore, the Transportation Security Administration has confirmed it's been made aware of the incident and has launched its own investigation.
For more information on this story, check out this link here.