"Turkish Airline Exposes Flight and Crew Info in 6.5TB Leak"

Researchers at SafetyDetectives recently discovered that a low-cost Turkish airline accidentally leaked personal information of flight crew alongside source code and flight data after misconfiguring an AWS bucket.  The researchers found the cloud data store was left wide open on February 28.  The researchers traced some of the leaked information to Electronic Flight Bag (EFB) software developed by Pegasus Airlines.  EFBs are information management tools designed to optimize the productivity of airline crews by providing essential reference materials for their flight.  The researchers found almost 23 million files on the bucket, totaling around 6.5TB of leaked data.  The data included over three million files containing sensitive flight data such as flight charts and revisions, insurance documents, details of issues found during pre-flight checks, and info on crew shifts.  Over 1.6 million files contained personally identifiable information (PII) on the airline crew, including photos and signatures.  Source code from Pegasus’s EFB software was also found in the trove, including plain text passwords and secret keys.  The researchers stated that with millions of files containing recent and possibly relevant flight data, unfortunately, an attacker could have numerous options to cause harm if they found PegasusEFB’s bucket.  Crew members could also be the subject of coercion by organized crime groups, while the information contained in the data store could help bad actors identify weaknesses in airport and airline security.  The researchers stated that, at the moment, there is no indication that any malicious actors found the trove before the research team did.  After notifying Pegasus Airlines on March 1, the researchers noted that the leak was remediated around three weeks later.

Infosecurity reports: "Turkish Airline Exposes Flight and Crew Info in 6.5TB Leak"