CommuteAir

CommuteAir is a regional airline headquartered in the United States, providing passenger air transportation services within domestic markets. It operates scheduled flights connecting smaller communities to larger hubs, supporting regional mobility. The airline handles operational data, employee records, and interacts with federal aviation security systems such as the TSA No Fly and Selectee lists for compliance and testing purposes. The organization’s activities are subject to oversight by transportation security authorities and must adhere to strict data protection standards for sensitive information.

CommuteAir has been identified as handling outdated 2019 versions of the TSA No Fly and Selectee lists for software testing, indicating a role in aviation security compliance workflows. The airline’s reliance on cloud infrastructure, exemplified by an AWS server used for internal testing, highlights its use of modern IT environments for operational support. Notable incidents reveal vulnerabilities such as unchanged default server passwords and misconfigured cloud storage, which led to exposures of government watchlists and employee personally identifiable information. These events prompted immediate server takedowns, federal investigations by the TSA and CISA, and prompted revised security directives for airlines regarding sensitive data handling. The airline’s response included taking compromised systems offline, cooperating with authorities, and asserting no customer data was exposed. While no customer data was reportedly compromised in either breach, the exposures raised national security concerns about potential unauthorized flight disruptions and systemic vulnerabilities in critical transportation infrastructure.