Cyber Incident Victim: CommuteAir
Date:
Jul 2022
Location:
United States of America
Summary
A misconfigured AWS server belonging to CommuteAir exposed sensitive U.S. No Fly and Selectee lists containing approximately 1.5 million records with individuals' names, aliases, and dates of birth, alongside employee personal identifiable information. The outdated 2019 watchlists, used for software testing purposes, were subsequently leaked on a public hacking forum by a known threat actor who initially discovered the unprotected server. While no customer data was reportedly compromised, the breach prompted immediate server takedown, federal investigations by TSA and CISA, and revised security directives for airlines regarding sensitive information handling. Government officials expressed national security concerns over potential unauthorized flight disruptions and systemic vulnerabilities in critical transportation infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2022, a misconfigured AWS development server operated by regional airline CommuteAir was accessed by Swiss hacker maia arson crimew, exposing outdated 2019 versions of the U.S. No Fly and Selectee lists along with employee personally identifiable information. The No Fly list contained 1,566,062 entries including names, aliases, and birthdates of individuals prohibited from boarding aircraft, while the Selectee list held 251,169 records of passengers requiring enhanced screening. Security researcher Mikael Thalen and Daily Dot journalist David Covucci first documented the exposure, which originated from files uploaded to CommuteAir's server for software compliance testing of federal security requirements. The hacker downloaded these lists and subsequently published them on a public hacking forum on January 26, 2023, marking the first public dissemination of such sensitive watchlist data. Analysis revealed duplicates and spelling variations within the lists, indicating the actual number of unique individuals exposed was lower than the total record count. Notable entries included Russian arms dealer Viktor Bout with 16 aliases. CommuteAir took the affected server offline upon notification and initiated an investigation that determined no customer data was compromised, though employee PII was accessed. The airline reported the breach to the Cybersecurity and Infrastructure Security Agency and notified affected staff.
The Transportation Security Administration launched an investigation and issued a January 27 security directive reinforcing existing protocols for handling sensitive security information across aviation entities. TSA confirmed no agency systems were breached, emphasizing the data originated from CommuteAir's testing environment. The FBI's Terrorist Screening Center, which maintains the Terrorist Screening Database underlying the No Fly list, faced scrutiny as lawmakers including Congressman Dan Bishop and Homeland Security Committee Chairman Mark Green questioned TSA Administrator David Pekoske about security lapses. The hacker's claims of potential flight disruption capabilities—such as canceling flights or altering crew assignments—elevated concerns about critical infrastructure vulnerabilities within the transportation sector. Congressional correspondence highlighted risks to aviation security and civil liberties stemming from the exposure of a database integral to multiple federal agencies including Customs and Border Protection and the Department of Defense. Historical context revealed prior watchlist exposures by researchers like Bob Diachenko in 2021, though those incidents involved more detailed records and were resolved before public disclosure. CommuteAir characterized the exposed lists as obsolete test data while government entities assessed operational security implications of the unauthorized disclosure.