Security error leaves NY airport servers unprotected for a year

The backup storage drive hadn't been password-protected since April.

Michael H

In this day and age, hacks and subsequent leaks of user data would seemingly shock everyone into keeping their security up to date. Not so for New York's Stewart International Airport, located 60 miles north of Manhattan, which left its server backup drives exposed to the internet. They were apparently misconfigured back in April 2016 and were left wide open without password protection until now.

The 760 GB of exposed data included TSA letters of investigation, social security numbers, internal airport schematics and emails, according to Chris Vickery, lead researcher from MacKeeper Security Center. He'd discovered the lapse, noting that the backup drive "was, in essence, acting as a public web server." If someone had found their way in, they could access a particular file with usernames and passwords for various devices and systems, which security experts confirmed to ZDNet would open up every component of the airport's internal network to a malicious user.

Apparently, the Port Authority of New York and New Jersey contracts out management of Stewart Airport to a private company called AvPORTS, which uses a single IT professional to set up and maintain its networks. Obviously, having one person show up twice a month per location to make sure each IT setup is watertight presents opportunities for lapses that go unnoticed. A Port Authority spokesperson noted that an investigation was ongoing, but that no information was believed to have been compromised during the near year-long exposure.