The Importance of Cybersecurity: FBI No Fly List Leaked on Unsecure Server

Recently, a Swedish hacker discovered a No Fly List used by the FBI to ban suspect individuals from flying, but this data, complete with passport numbers, birth dates, and other private information, was left on an unsecured server. It's alarming to think that the FBI's No Fly List, which is used for the protection and security of our air travel network, was so easily accessible to hackers due to the lack of proper encryption and server security. 

This is a prime example of why data protection and cybersecurity should be a top priority, especially when it comes to sensitive information such as the FBI's No Fly List. Why is security such an important aspect of modern electronics, what did the hack demonstrate, and what can engineers learn from this incident?

Why is security such an important aspect of modern electronics?

As technology continues to progress, so does our reliance on it, and it seems that modern life is virtually impossible without having access to a computer, smartphone, and the internet. In fact, the importance of these three key pieces of technology is so significant that government legislation exists to ensure that all new properties are connected to high-speed internet cables, and properties with poor access can apply for government grants and schemes to help install better internet infrastructure.

But as modern life increases this dependence on technology, it also introduces numerous challenges. The first, and most obvious challenge, is that those who cannot access the latest technology are at risk of being left behind. For example, having poor internet access makes it difficult to stream video content, access cloud-based software, and make reliable calls. While this wouldn’t have been an issue ten years ago, the lack of movie rental shops, the move towards cloud-only services, and remote work mean that all these technologies are essential.

The second challenge associated with technologies, or to be specific, internet-enabled technologies, is that devices become more susceptible to cyberattacks. For example, two decades ago, most electronic devices lacked internet connectivity, meaning that they would be exceedingly difficult to hack remotely. However, with all devices having some kind of internet connection, it is possible for anyone around the world to launch remote attacks.

To make matters worse, key infrastructure that is responsible for running modern civilisations (such as road networks, air traffic control, power distribution, and supply chains) are all connected to the internet to some degree, meaning that it is theoretically possible to shut a country down via a large cyberattack. This is why strong security practices in electronics devices are essential and include the use of encryption to protect data streams, strong passwords to make it difficult to gain access to devices, and unique IDs for each device manufactured to prevent widespread simultaneous attacks.  

Hacker discovers No Fly List on an unsecured server

Recently, a hacker in Sweden reportedly announced the discovery of an FBI No Fly List and employee data on an unsecured server hosted by CommuteAir. The FBI No Fly List is an essential database that informs airlines of individuals considered a potential criminal threat, such as terrorists and weapons dealers. Those trying to board planes on the No Fly List are automatically identified by computer systems (via stored personal information such as passport numbers) and can be safely approached by law enforcement officers, either for arrest or for ejection from the airport.

Under normal circumstances, it could be argued that a No Fly List is public information, as multiple airliners need to be able to identify individuals of concern. In fact, this is not entirely different to the FBIs most wanted list, which is public ally accessible so that members of the public can report potentially dangerous criminals. 

However, what made this particular hack worrying is that the No Fly List also includes personal data, including full names, passport numbers, and date of birth, all of which can be used for identity theft. There is no doubt that some individuals on the list are there for a good reason, but it is possible to be placed on this list during criminal investigations (even if innocent of a crime). Thus, innocent civilians on the list are at serious risk of numerous crimes, including fraud and targeted crime. 

To make matters worse, the server also included a list of 1,000 employees’ data. Like the No Fly List, this data also included passport numbers, addresses, and phone numbers, all of which can be used to commit fraud.

What can engineers learn from this?

In a case like this, it is hard to understand how this could have happened. According to the hacker, the data was found on an unsecured AWS cloud server which had supposedly been forgotten. However, the server must have still been created, had data transferred to it, and used for some practical reason. At no point did any of the engineers involved decide to think about privacy, where they keep personal data, and how to protect it.

So, from this incident, engineers can learn a fundamental lesson; data handling. Simply put, when dealing with data, consider where it will be stored, how it will be transmitted, and where it will be used. If the data being stored is potentially private, it must be encrypted at the very least. If that data is being held on a server with an internet connection, then access to that server must only be via strong credentials. Finally, if that data is expected to be used remotely from that server, the transmission of that data must use encryption.