Security error leaves NY airport servers unprotected for a year
The backup storage drive hadn’t been password-protected since April.
By David Lumb
Feb 25 2017
The 760 GB of exposed data included TSA letters of investigation, social security numbers, internal airport schematics and emails, according to Chris Vickery, lead researcher from MacKeeper Security Center. He’d discovered the lapse, noting that the backup drive “was, in essence, acting as a public web server.” If someone had found their way in, they could access a particular file with usernames and passwords for various devices and systems, which security experts confirmed to ZDNet would open up every component of the airport’s internal network to a malicious user.
Apparently, the Port Authority of New York and New Jersey contracts out management of Stewart Airport to a private company called AvPORTS, which uses a single IT professional to set up and maintain its networks. Obviously, having one person show up twice a month per location to make sure each IT setup is watertight presents opportunities for lapses that go unnoticed. A Port Authority spokesperson noted that an investigation was ongoing, but that no information was believed to have been compromised during the near year-long exposure.