Paul Berger

USA Today Network

NEW WINDSOR - Security clearances, passwords to airport computers and confidential communications from federal security agencies were among documents compromised in a massive, year-long data exposure at Stewart International Airport discovered by a data security expert.

The commercial airport in New Windsor, which served 285,000 passengers in 2015, is managed by AvPORTS, which also manages Teterboro (N.J.) Airport.

The two airports are operated by the Port Authority of New York and New Jersey, which also owns LaGuardia, John F. Kennedy International and Newark Liberty International airports.

PROTECT YOURSELF: Simple ways to step up your online security

AT RISK: Internet users use sloppy practices

A Port Authority spokesman said the bi-state agency’s computer network is maintained separately from AvPORTS.

“Based on our investigation to date, the Port Authority network has not been compromised and remains sound,” spokesman Ron Marsico said.

He added that an investigation into the AvPORTS exposure continues.

AvPORTS officials did not respond to requests for comment. The Virginia-based company, which manages 16 airports around the country, says on its website that it offers clients “enhanced security.”

Chris Vickery, the data security expert who discovered the lapse during a random web search, said more than 700 gigabytes of data had been stored on an unsecured server since April.

Rather than having to log into the airport’s systems, Vickery said the data was publicly available.

“It’s like somebody painting a big sign outside their house with all their personal information on it and anybody passing by can see it,” Vickery said.

Vickery said he downloaded more than 300 gigabytes of information, including staff payroll files, emails, identities of people with security clearances, logs of lost security ID badges and letters from the Transportation Security Administration warning of security lapses at the airport.

He said it took seven hours and calls to AvPORTS, Port Authority police and Stewart Airport on Friday before the server was secured.

Since then, Vickery said no one has contacted him asking him what data he is holding or to delete the information.

Vickery said he believes the data contains a host of information about the Port Authority’s computer networks and systems.

“It’s probably more of a risk than they realize,” said Vickery, a lead security researcher for a software security firm, MacKeeper.

The lapse was first reported by technology news site ZDNet.

Computer security experts told the site that hackers could have used the information to issue or edit boarding passes at Stewart.

The site also reported having reviewed dozens of letters of investigation from the Transportation Security Administration regarding security lapses at the airport over the past decade. Cases included airport officials’ failure to perform checks of a federal no-fly list and a key to a secure area of the airport which was left on a ticket counter.