A major regional carrier that operates flights on behalf of United Airlines under the United Express brand has accidentally leaked the federal terrorist ‘no-fly’ list after leaving the file on an unsecured public server, according to a Swiss hacker who discovered the data.
The No-Fly List is maintained by the Terrorist Screening Center and administered by the FBI, as well as the Department of Justice, and several other agencies, including the CIA and Department of Homeland Security.
The federal government has released very little information about the No-Fly List over concerns that doing so would give terrorists the ability to circumvent the very purpose of the list.
It is the policy of the U.S. government to neither confirm nor deny whether someone is on the list, although the DHS says that you can be sure that you are not on the list if you receive a boarding pass ahead of a flight.
Prior to 9/11, just 16 people were listed as ‘no transport’ by the federal government, but the list quickly swelled in the aftermath of the terrorist atrocity. By 2011, around 16,000 names were on the list, and by 2013 that number had risen to a reported 47,000 names.
Now, hacker maia arson crimew claims the list they discovered had more than 1.5 million names – although the list included common aliases, misspellings and different dates of birth, so the total number of actual individuals officially designated as ‘no-fly’ could be much lower.
The hacker discovered the list as they were trawling through a public server run by Ohio-based CommuteAir. The regional carrier is currently the sole provider of 50-seater Embraer ERJ flights for United Airlines.
Along with private employee data, maia arson crimew also claims to have found an unsecured text file that was named ‘NoFly.csv’. That list wouldn’t be easy to find for most internet users but wasn’t secure or ‘hidden’ to prevent illegal access.
CommuteAir says the server has already been taken offline.
“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” the airline told the Daily Dot in a statement.
“In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”
Personal details, including the passport numbers, addresses, and phone numbers, of around 900 employees were publicly accessible on the server. CommuteAir says no passenger data was compromised.
In a statement, the Transportation Security Administration (TSA) said it was “investigating in coordination with our federal partners.”
Mateusz Maszczynski honed his skills as an international flight attendant at the most prominent airline in the Middle East and has been flying ever since... most recently for a well known European airline. Matt is passionate about the aviation industry and has become an expert in passenger experience and human-centric stories. Always keeping an ear close to the ground, Matt's industry insights, analysis and news coverage is frequently relied upon by some of the biggest names in journalism.
Why is this titled “airline LEAKS list”? They didn’t leak it. Leaking something means you PURPOSEFULLY send it out so it will be shared. This airline was dumb and had the list on a server that wasn’t properly secured. The hacker HACKED into that and took it. No one leaked anything. It would be like saying you gave away your stuff if you leave your back door unlocked and someone unlawfully enters your house and takes it.
There is no guarantee that someone working for or with UA’s regional airline partner didn’t decide this was a way to leak the list.