Almost 23 million files were found on the bucket, making a total of around 6.5TB of leaked data.
A low-cost Turkish airline accidentally leaked personal information of flight crew together with the source code and flight data after misconfiguring an AWS bucket.
According to a research team from security comparison site SafetyDetectives, the cloud data store left wide open on February 28. It traced some of the leaked information to Electronic Flight Bag (EFB) software developed by Pegasus Airlines.
EFBs are information management tools designed to optimize the productivity of airline crew by providing essential reference materials for their flight.
Approximately 23 million files were found on the bucket, which comes to around 6.5TB of leaked data. This includes more than three million files containing sensitive flight data such as: flight charts and revisions; insurance documents; details of issues found during pre-flight checks; and info on crew shifts.
Over 1.6 million files contained personally identifiable information (PII) on airline crew, including photos and signatures. Source code from Pegasus’s EFB software was also found in the trove, including plain text passwords and secret keys.
SafetyDetectives speculated that it is possible that the malicious actors could gain access to highly sensitive information due to the leak.
The researchers stated that cyber criminals could tamper with sensitive flight data and extra-sensitive files using passwords and secret keys found on PegasusEFB’s bucket. With millions of files containing recent and possibly relevant flight data, an attacker could have numerous options to cause harm if they found PegasusEFB’s bucket.
However, there is no indication that any malicious actors have misused it. After notifying Pegasus Airlines on March 1, SafetyDetectives noted that the leak was remediated around three weeks later.