In January 2023, a security researcher discovered that CommuteAir, a US regional airline, had a publicly exposed Jenkins build server with no authentication required. The Jenkins environment contained hardcoded AWS access keys in pipeline configurations. Using these credentials, the researcher accessed multiple CommuteAir S3 buckets and discovered one containing a 2019 version of the TSA No Fly List — a sensitive government document listing individuals prohibited from boarding commercial aircraft in the US. The researcher shared the No Fly List on a hacking forum, leading to the public exposure. The incident demonstrated the systemic risk of hardcoded cloud credentials in CI/CD pipelines and the chain of consequences when airline/government data is co-mingled with inadequately secured infrastructure.