ZDNet reports today that Stewart International Airport in New York left its server backups exposed on the open internet for almost a year. That included open access to gigabytes of emails, government files and passwords that could have given hackers full access to airport systems. Unprotected since April 2016, the airport was backing up copies of its systems to a storage drive installed by a third party IT specialist, but neither the backup drive nor the disk images were password protected. That meant anyone could access the contents as if it was a public web server.
Among the files exposed on that server were airport staff email accounts, HR files, payroll data, confidential airport infrastructure schematics, and Homeland Security documents marked “sensitive” (but not classified) like security plans and arrival procedures for private jet passengers. One file contained usernames and passwords for airport devices and systems, which researchers say could give access to the airport’s internal network. In a worst-case scenario, hackers could have used this data to shut down airport operations or issue boarding passes to people on the “no-fly” list.
There is no evidence at this time that any of the airport’s data was compromised. But it’s frightening to see how a small mistake can create a very dangerous security situation. Researchers that investigated the server criticized the airport’s password policies and said having a single person maintaining an airport network infrastructure was a “recipe for security lapses.”
We advise businesses of all sizes to follow password best practices and to protect their networks with layered security services from UTM and next-gen firewall products such as our own. Also, design network infrastructure with security in mind. Hiring a MSSP is worthwhile for small businesses that can’t afford security staff. Otherwise a simple mistake by an overworked network engineer could put an entire infrastructure at risk, just like this airport.
Read the full article at ZDNet and check back on Monday when a follow-up story will publish. Read more about our own network security products and how we layer different security controls together in Secplicity.