Incident Details
CommuteAir, a regional airline, experienced a significant security breach in January 2023 that led to the exposure of the US Department of Homeland Security's No Fly and Selective Screening lists, which included over 1.5 million records, as well as personal information of CommuteAir employees.
Incident
How Did the Breach Happen?
An attacker scanned the internet for exposed Jenkins servers and found one belonging to CommuteAir. The attacker accessed build job repositories, found hard-coded credentials, and then used these to access most of CommuteAir's AWS infrastructure, including S3 buckets, which contained the sensitive lists within test data.
What Data has been Compromised?
The data compromised included the US Government's No Fly list, the Selective Screening List containing over 1.5 million records, and personal employee information stored in CSV files.
Why Did the company's Security Measures Fail?
The company's security failed primarily due to hardcoded AWS credentials present on an insecure Jenkins server, broad permissions on AWS given to those credentials, unencrypted sensitive data in S3 buckets, and a publicly exposed Jenkins server without adequate monitoring or access controls.
What Immediate Impact Did the Breach Have on the company?
The immediate impact of the breach is not detailed in the provided information, but such breaches typically result in a loss of trust, potential legal consequences, and a need for an in-depth security review and response by the affected company.
How could this have been prevented?
The breach could have been prevented by not storing AWS access keys in code, encrypting sensitive data, implementing proper access controls, monitoring publicly exposed servers, and evaluating the necessity of retaining sensitive data, particularly data that may be outdated and no longer necessary to keep.
What have we learned from this data breach?
This data breach serves as a reminder of the importance of secure coding practices, minimal privilege access, data encryption, regular security audits, and proper data retention policies to prevent unauthorized access to sensitive information.
Summary of Coverage
The CommuteAir data breach involved an externally exposed Jenkins server that allowed an attacker to access sensitive information, including US No Fly and Selective Screening lists with over 1.5 million records. The breach was caused by a combination of security misconfigurations, such as hardcoded AWS credentials, publicly accessible servers, and unencrypted data storage. It signifies the necessity of robust security measures and diligent monitoring to protect against data exposure.