There are over 1.5 million entries in the list.
The unsecured server, discovered by a security researcher last week, contained the identities of hundreds of thousands of people from the U.S. government's terrorist screening database and "no-fly list."
Discovered by the Swiss hacker arsoncrimew, a server operated by US national airline CommuteAir exposed a massive amount of company data, including the personal information of almost 1,000 CommuteAir employees.
A text file called “NoFly.csv” was discovered on the server in the public domain — links to a subset of individuals in the terrorist screening database who were banned from air travel due to suspicions or known links to terrorist organizations.
There are over 1.5 million entries in the list. The data included names and dates of birth. Pseudonyms were also present on the list, bringing the number of unique faces to well below 1.5 million.
In the United States, there is a list of people who are prohibited from using air transport, created decades ago. Prior to the September 11, 2001 attacks, this list included only 16 people. After the attacks and the creation of the US Department of Homeland Security, the list quickly expanded. The exact number of people on the list is not known, but the latest estimate is between 47,000 and 81,000.
In a statement to the Daily Dot, CommuteAir said the open infrastructure, which they described as a development server, was being used for testing purposes. The company also stated that the server did not provide customer information and that the data on it was legitimate, representing a version of a "federal non-flying list" compiled about 4 years ago.
This is not the first leak of a closed database. In August 2021, a copy of the FBI's wanted list of terrorists was in the public domain for three weeks.