Oops: Airline Leaked The Entire Federal No Fly List

CommuteAir, which operates Embraer ERJ-145s for United Airlines, left the entire U.S. federal No Fly List on a server that was easily hacked.

While the original requirement to show ID at the airport was a political decision, in order to appear to be ‘doing something’ after TWA flight 800, the reason you have to show I.D. at airport security now is so that the government can compare you against its various watch list, from the No Fly List to various enhanced screening lists.

  • If you didn’t have to be ID’d, you could fly under any name you wished. The government might be looking for Ayman al-Zawahiri, but he could just buy a ticket under a different name.

  • The lists themselves are secret. They won’t tell you that you are on them. They may assign you a redress number to show that you’re not the Ayman al-Zawahiri they happen to be looking for but they won’t ever say that name was on the list.

  • And people get on these lists by mistake, for instance because an FBI agent checked the wrong box on a form. Or they get on out of revenge, against people who refused to act as informants. It’s pre-crime profiling, a bureaucrat puts your name on the list and imposes a punishment without any due process or even proof you’ve actually done anything to warrant it.

Still, the list is considered both highly secret (but not classified) and crucial by the federal government. But it’s also given to airlines.

Analysis of the server resulted in the discovery of a text file named “NoFly.csv,” a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations.

The list, according to crimew, appeared to have more than 1.5 million entries in total. The data included names as well as birth dates. It also included multiple aliases, placing the number of unique individuals at far less than 1.5 million.

On the list were several notable figures, including the recently freed Russian arms dealer Viktor Bout, alongside over 16 potential aliases for him. …Suspected members of the IRA, the Irish paramilitary organization, were also on the list. …Another individual, according to crimew, was listed as 8 years old based on their birth year.

While the larger Terrorism Screening Database was suspected to contain nearly two million names, the actual No Fly List which bans boarding aircraft in the United States, has been believed to be much smaller (perhaps 100,000 – 200,000 names). CommuteAir says the data they hosted was the No Fly List, but the list they exposed is much larger than expected.

The compromised server also included personal information – passport numbers, addresses, and phone numbers – of about 900 CommuteAir employees.

The information was secured prior to the hack being revealed. The hacker explains how they did it.

(HT: @crucker)

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. These lists aren’t very accurate for common names so I don’t see the point. They should only be tied to documents. For example how many Bob Jones or Mary Smith’s have to have redress numbers and then still get flagged. They might as well make the lists public to shame the people on them and inform the rest of us about those same “evil” folks.

  2. Might want to update your reference for a terrorist the government is still looking for Gary. Zawahari swims with the fish.

  3. The original ID reason was to avoid a black market in tickets, or so a person who set it up told me in private. But the whole concept of an internal passport to easily travel within our own country is more like Khrushchev’s Soviet Union than the good old USA.

  4. Why is this titled “airline LEAKS list”? They didn’t leak it. Leaking something means you PURPOSEFULLY send it out so it will be shared. This airline was dumb and had the list on a server that wasn’t properly secured. The hacker HACKED into that and took it. No one leaked anything. It would be like saying you gave away your stuff if you leave your back door unlocked and someone unlawfully enters your house and takes it. Yeah its dumb to leave your door unlocked but you still didn’t make someone come into your house uninvited and take things.

  5. One of these days, companies will actually be held accountable for lousy system security. Until then, nothing is private or secure.

  6. What? No link to the list? I am most disappointed — access to that list could aid a lot of people in verifying and fighting their names being on it.

  7. As a sovereign person, I have not granted authority to any government to require me to have a license to drive a car. I have not granted authority to any government to require me to register my car. I have not granted authority to any government to require me to pay sales tax on the gasoline I use. Never mind this TSA stuff. In fact, I have not granted authority to any government to do anything. And, each time they’ve prosecuted me for some law that I have not granted power to them to institute, they try me in a court with a fringed flag, which denotes a military tribunal. What nerve these people have to impose these attacks on my personal sovereignty!

    Having served many years in the military, having been stationed in a high-terrorist zone, having been subjected to a terrorist firefight, and having a friend executed (not killed but executed) by terrorists, it’s hard for me to understand the rhetoric some people cling to (offered above).

  8. HI GARY



    JOE K

  9. During Khrushchev’s rule of Soviet Union, the Soviets didn’t check foreigners’ names against a computerized blacklist when they were flying within the Soviet Union. The US has taken the aviation blacklist approach to a level that even Soviet hardliners would have loved.

  10. It’s a leak even if/when the information gets out due to poor security protocols being exploited by non-insiders.

  11. Since personal information was leaked, isn’t there a legal obligation to notify everybody on the list that the information was lost?

Comments are closed.