US Airline Accidentally Exposes 'No Fly List' On Unsecured Server

An anonymous reader quotes a report from the Daily Dot: An unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the U.S. government's Terrorist Screening Database and "No Fly List." Located by the Swiss hacker known as maia arson crimew, the server, run by the U.S. national airline CommuteAir, was left exposed on the public internet. It revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees. Analysis of the server resulted in the discovery of a text file named "NoFly.csv," a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations.

The list, according to crimew, appeared to have more than 1.5 million entries in total. The data included names as well as birth dates. It also included multiple aliases, placing the number of unique individuals at far less than 1.5 million. [...] In a statement to the Daily Dot, CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes. CommuteAir added that the server, which was taken offline prior to publication after being flagged by the Daily Dot, did not expose any customer information based on an initial investigation. CommuteAir also confirmed the legitimacy of the data, stating that it was a version of the "federal no-fly list" from roughly four years prior. [...] The server also held the passport numbers, addresses, and phone numbers of roughly 900 company employees. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed.

seems like an big .csv file

[Joe_Dragon]

seems like an big .csv file.

With that much data why not put it into an better DB?

Re:

[suss]

Diskspace is cheap. I bet it compressed pretty well, though, with the duplicates of Mohammed and probably a lot of drunken Karens in there.

Re:

[Antique Geekmeister]

And competent database analysts are not cheap, especially when they proprietize the database for their own personal whims. I'm afraid I've seen too many ever-expanding personnel databases corrupted into unusability over time.

Re:

[AlanObject]

With that much data why not put it into an better DB?

My reaction exactly, but it was likely a test data file that would be inverted into a regular DB as often as needed for development purposes. Pretty damn careless though.

Re:seems like an big .csv file

[Entrope]

Because it's hard to beat CSV as an interchange format. Decades of software can ingest, process and export it.

Re:

[ShanghaiBill]

Indeed. Any DB can import csv. Any spreadsheet program can load it.

It is also easy to parse using Python, Perl, or even grep and sed.

If someone sends me data, I always ask for csv.

Re:

[Antique Geekmeister]

I always prefer tab-separated variables for data which may contain punctuation such as people's names and addresses. While there are published standards for encoding internal commas, far too many tools ignore them: tab separated variables are _far_ more portable.

Re:

[lrichardson]

Double quotes around any text string that may contain commas.

Tabs ... are actually not so good. Most languages handle them correctly; some treat them as nulls, or single spaces, with the resulting concatenation of data being as bad as you would expect.

Re:

[Antique Geekmeister]

Picking and choosing when to apply quotes, and dealing with strings which may themselves contain quotes, make simple solutions like "pre-evaluate which text strings you believe may contain commas and properly pre-condition them with quotes" relies on the ability to detect or predict which will contain commas. And quotes, and handle both correctly and consistently. Mis-handling them can corrept entire rows of data, and ruin loading procedures of very bulky csv files.

For something that needs to be consistent,

Re:

[drinkypoo]

Any DB can import csv. Any spreadsheet program can load it.

Eh. If you load a significant CSV into a spreadsheet, it explodes. For example the USDA nutritive databases, they just have too many entries. They also didn't provide types in their data dictionary, so I wound up writing a perl script that reads CSV files and analyzes their contents, then uses pgsql to create appropriate tables and import the CSVs in bulk. Which does come to your next point...

It is also easy to parse using Python, Perl, or even grep and sed.

That's true, and it's what I did. But just a pile of CSVs is kind of irritating to handle for any sizable amount of

Re:

[turp182]

That's the format it comes in from the government. I worked on oFac compliance on a couple of projects for a large international insurance company a few years back.

We loaded it to a service database/system that other systems could call to run checks.

Re:

[Askmum]

Which one and how do you transfer data between consumers of the data?

Customers?

[kmoser]

CommuteAir added that the server [...] did not expose any customer information based on an initial investigation.

That's like saying, "we accidentally killed a million people, but at least none of them ever shopped here." Who cares whether the leaked names were customers? People prohibited from flying have just as much a right to privacy as anybody else.

Re:

[Mononymous]

People prohibited from flying have just as much a right to privacy as anybody else.

That's one person's opinion. I wonder what the law says.

Re:

[Anubis IV]

I read through the original writeup from the hacker earlier today. The airline can claim no PII was compromised all they want, but the hacker cited several instances of PII they discovered for employees and I believe customers as well before they ever found the No Fly list.

Re:

[mjwx]

CommuteAir added that the server [...] did not expose any customer information based on an initial investigation.

That's like saying, "we accidentally killed a million people, but at least none of them ever shopped here." Who cares whether the leaked names were customers? People prohibited from flying have just as much a right to privacy as anybody else.

Standard corporate doublespeak... "don't worry [investors], we didn't affect anyone who might be able to sue us".

Fine

[cawdor]

There really should be a fine for every individual's details that are unsecured and leaked. Categorised by importance, ie name ($5), birthdate ($10), driver's license or SS number ($25), passport number ($50). They stack of course, so if all 4 detail types are leaked, that's a $90 fine. There needs to be some kind of assurance that companies really "take your privacy seriously".

Re:

[NFN_NLN]

Company: loses $90 per person.

Plaintiff: gets 84 cents and a coupon for frozen yogurt in the class action lawsuit.

Typical jerkoff: You had me at frozen yogurt.

Re:

[joe_frisch]

Allow board of directors sealed -bid on the value of their personal data. Everyone who bids below the median bid has their data released. That sets the data value for their users. But seriously I like your concept but think your numbers are very low. The cost of fixing identiy theft can be be very much larger than those numbers

Re:

[cawdor]

Yeah the numbers are just examples of course. But you also have to keep in mind that a fine is meant as a a punishment/deterrent, not a bankruptcy tool. $1000 per person may sound more suitable in an individual case, but unless we're talking about the world's largest companies, a $1B fine for the exposure of 1M customer records will end most companies.

Re:

[joe_frisch]

Yes, but then they need to insure against the damage, and the insurance company will need to be convinced that they won't lose the data. My goal is to provide a financial motivation to protect customer data - the same way companies take extreme care to make sure their products don't injure people.

Re:

[kmoser]

Even better, let the free market decide: individuals should have the right to set the price of their personal information. Just like when a company says their software is worth $49 and somebody who pirates 1,000 copies gets charged with "theft" of $49,000, I should be able to say my SSN is worth $10,000 and every company that leaks it should pay me $10,000 every time it is downloaded without my permission. P.S. My legal fees are extra.

Re:

[drinkypoo]

Your numbers are off by about two orders of magnitude. They should have to pay for the potential harm. Identity theft can be extremely costly.

Why Are They Kept Private

[theshowmecanuck]

This should be a public list. The ones on it that shouldn't be can find out and appeal. The ones who are legitimately on it, we should know about. If someone who lived next door to me was dangerous enough not to allow on a plane, I'd want to know if they lived next door to me.

Re:Why Are They Kept Private

[russotto]

It should be a nonexistent list. It's punishment without trial.

Re:Why Are They Kept Private

[tomz16]

Agree... More importantly, it's a secret list, maintained by the government, regulating who a private company can (or in this case cannot) do business with.

Let's say that I hypothetically wanted to build a pair of airports, open to the general public (i.e. non-FBO). My planes would only go between those two airports (i.e. passengers would not get into the general passenger stream). Even in that simple case, the government is still going to show up at my door with a mandatory team of people to grope my customers AND a secret list of people I CAN NEVER do business with. A secret list of people that are somehow deemed "too dangerous to fly", but not "too dangerous to prosecute for any crime?" There's just something un-american about the entire concept, and nobody has dared to revisit this nonsense since 2001.

Re:

[blackomegax]

Look at it this way. While you definitely don't let a convicted pedophile near a child, you're also going to not let a suspected pedophile near a child. basic risk management. Especially when the un-convicted ones are often smarter than the convicted ones (and thus more elusive in terms of ability to stick charges)

Re:

[russotto]

Look at it this way: "nor be deprived of life, liberty, or property, without due process of law". Calling keeping "suspected terrorists" off planes a matter of "risk management" doesn't make it less of a deprivation of their liberty.

Re:Why Are They Kept Private

[93 Escort Wagon]

This should be a public list.

Well, then, good news! It is now...

Re: Why Are They Kept Private

[FudRucker]

post links to download everywhere, 4chan, craigslist, any website that will let you

Re:Why Are They Kept Private

[Iamthecheese]

What if I told you "the government thinks they're dangerous" and "they are dangerous" are two different things? Would that blow your mind?

Re:

[Knightman]

There's also the third option, innocent people ending up on the list because some government shitheel with a miniscule amount of power took pleasure in making life miserable for someone they had a bad interaction with.

Re:

[theshowmecanuck]

Yes, and they don't know it because it is secret and because it is secret, their life can be ruined without anyway to know why or option to have it removed.

Re:Why Are They Kept Private

[Antique Geekmeister]

These were precisely what the "Star Chamber" of British courts did. Secret decisions were made without public record, with no opportunity for defense, without appeal, without the knowledge of the accused and with no opportunity to face their accusers.

        https://en.wikipedia.org/wiki/... [wikipedia.org]

This is one of the reasons the US Constitution is so clear about the rights of the accused, and it is precisely is ignored by the No-Fly list and has been ignored for prisoners in Guantanamo Bay. It is a horrible stain on USA courts and the rights of USA citizens and those within USA borders.

Re:

[sabt-pestnu]

or because the FBI wanted to pressure them into becoming informants. [truthout.org] (or from the ACLU [aclu.org]).

Re:

[kmoser]

What if I told you that sometimes the government is more dangerous than the people the government thinks are dangerous? Would that blow your mind even more?

Re: Why Are They Kept Private

[Plugh]

What if I told you that sometimes religious zealots and fanatical idealists are more real and immediate dangers than The Government? Would that blow your mind?

Re:

[CaptQuark]

If someone who lived next door to me was dangerous enough not to allow on a plane, I'd want to know if they lived next door to me.

It's not just dangerous people on the list. If a Karen was arrested three times because she refused to put her Chihuahua under the seat in front of her, would you really ostracize her? What about the drunk arrested coming back from CES? Or the idiot that thought it was important to take a stand about not wearing a mask on the plane? Or the mother that refused to punish her child for kicking the seat in front of them?

Any flight attendant can request the captain eject you from the flight. If you have a b

Shockingly, BeauHD was on it!

[CmdrPorno]

But seriously, has anyone digested the list to look for notable names?

Why is there a no fly list?

[rsilvergun]

If someone's a criminal enough to make the list shouldn't they just be arrested? And if they're not, why are they on a list? Sanctions are one thing, but there are us citizens on the list, right?

Re:

[sabt-pestnu]

A safety issue is: we don't want weapons on an airplane.
A punishment issue is: we don't want YOU on an airplane.

It's all about "punishing terrorists".

Re:

[rsilvergun]

Okay as long as it's extrajudicial I guess that's a okay right? Seriously it really does seem like an extra judicial attack on citizens. Again you can do anything you want with a non-citizen when sanctions are involved as long as there isn't a treaty, but in theory every American citizen is due a trial.

Re:

[mjwx]

If someone's a criminal enough to make the list shouldn't they just be arrested? And if they're not, why are they on a list? Sanctions are one thing, but there are us citizens on the list, right?

I have no doubt there will be foreign nationals on there as well. Probably the entire TSA control list.

For the Americans playing along at home, for a foreigner to enter the US, we need an ESTA (Electronic System for Travel Authorisation). Not a big deal and only $14 for 2 years, however if you've a similar name to someone on the control list, you need to open an individual case to "redress" this (prove you are not the person who is on the control list) and be given a redress number. I imagine that it wou

Re:

[mjwx]

This article from Simple Flying has more details in it, there are definitely non-Americans on there on there (and about 1.5 million entries).

https://simpleflying.com/hacker-acess-fbi-no-fly-list/ [simpleflying.com]

Kinda dangerous

[tiananmen tank man]

Dangerous to not be allowed to fly, but not dangerous enough to be arrested/charged.

Common Names

[Retired Chemist]

I knew a Brit who had a fairly common name, which was on the no-fly list. Every time he came to the US, he had to prove he was not the guy on the list. One and half million names? Probably more innocent people are being forced to jump through hoops to do something usual, than anything else. Any real troublemaker will simply acquire a new false identity. The whole thing is an exercise in bureaucratic stupidity.

Hmmmm...

[yusing]

No interest in the info of 1.5M people, but I *would* like to see a complete list of the organizations the current USGov consider to be terrorist.

>fine for every individual's details that are unsecured and leaked.

Eeeyah, *if* the proceeds of that fine are paid directly to each of the affected individuals ... and those individuals thereby notified are then free to press further charges ... *before* the company also and separately has to pay for the fees of the prosecutors. IF the company runs out of cash and liquifiable assets, then the homes of the Chief officers, then the boardmembers, then random shareholders, are sold until the balance is cleared.

I'm an archivist and want a copy of this list

[rcb1974]

Someone please post a link to it. Thanks!