Low-cost Turkish airline Pegasus Airlines has accidentally leaded the personal information of its flight crew, source code, and flight data due to a misconfigured AWS bucket. SafetyDetectives, a research team, discovered the unsecured database on February 28 and was able to trace the leaked information to the Electronic Flight Bag software developed by the airline and designed to optimize the productivity of airline crew. The software also provides essential reference materials for flights. Security researchers found almost 23 million files in the bucket, resulting in 6.5TB of leaked data. Researchers reported that over three million of the files contained sensitive information such as flight charts, insurance documents, pre-flight checks and issues detected during the checks, and information on crew shifts.

Roughly 1.6 million files reportedly contained personally identifiable information (PII) belonging to staff and airline crew. This included photos and signatures. Source code from the software was also detected in the trove, including plain text passwords and secret keys. SafetyDetectives warned of the potential privacy implications for crew members, and the risk that the leak may have landed highly sensitive information in the hands of malicious actors, who could leverage the data to tamper with flight data, change contents of files, and block potentially important information. This places passengers and crew members at risk, SafetyDetectives says.

Read More: Turkish Airline Exposes Flight and Crew Info in 6.5TB Leak