Welp - TSA's no-fly list found on unsecured server, 1.5MM entries exposed

ElPaso Pilot

Pattern Altitude
Joined
May 26, 2006
Messages
2,411
Display Name

Display name:
ElPaso Pilot
From the gang that can't hit straight, nor audit their partners' data security -- a text file named NoFly.csv was found on an unsecured CommuteAir server.


EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server

One of the most sensitive U.S. government documents was left online.

"The server also held the passport numbers, addresses, and phone numbers of roughly 900 company employees. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed...

...an expert familiar with the contours of the No Fly List cautioned that a list that size may be the larger Terrorism Screening Database and not the smaller No Fly List. "

https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/
 
"one of the most sensitive US govt documents"

good grief.
 
I remember flying 135 about 2005 and we had to check passengers against an excel spreadsheet someone downloaded from somewhere. We could check anybody we wanted I guess. My recollection and understanding might be off though, it was not a sophisticated solution.
 
Pretty sure Abdallah, Abdellah, Abdollah, Abdullah , Abdulla or Abdalla already know they are on the list.
 
The way to make sure a federal agency doesn't lose sensitive data is to not let the federal agency have sensitive data. This would be more hilarious if the same contractor worked on this as did the last support of the notam system.
 
While reading it was no doubt interesting, being able to add or delete names from it was probably even more fun!
 
Hmm, agreed. The people on it, know they are on it.

But not TSA letting it out.

Only if they ever have tried to fly. TSA does not tell you if you are on it, and it is quite the legal process to even try to find out. The documents are SSI, but apparently someone at the airline must have saved a copy to their server which is a no no as well.

The list has existed since 2001, and as far as I know this is the first time it was ever publicly leaked. Even then it was a 3 year old copy of it.
 
Back
Top