NEW YORK -- Sensitive documents leaked after a data exposure at an upstate New York airport have revealed several major security lapses in recent years.
Dozens of files seen by ZDNet list a catalog of security failings over the past few years at Stewart International Airport, about 60 miles north of Manhattan, which serves hundreds of thousands of passengers each year, including high-profile guests and private charter flights.
The cache build up a unique picture of insider threats, breaches, and lapses that acknowledge the difficulty in keeping airside security to a high standard, even at smaller airports.
In one such instance, documents seen by ZDNet show how airport staff was for an unknown period in 2010 unable to screen names against the US government's watchlist of suspected terrorists who were forbidden from flying in its airspace.
A response letter by the airport manager confirmed that the airport "did not have access to the list," and therefore badge-holding staff at the airport were not being screened properly.
The airport had to enlist the help of neighboring Westchester County airport to carry out the checks, the letter added.
The government's "no-fly" list currently prevents around 47,000 passengers from within, into, or out of US airspace, according to leaked documents, a figure that rocketed during the Obama administration.
But the list has proven controversial, not least because it's shrouded in secrecy. Only a select few people who have challenged their membership are even aware that they have been on the list, which includes regular citizens to diplomats and politicians. Sister-site CBS News obtained a copy of the no-fly list in 2006, which showed that the list is riddled with mistaken identities, wrongly added names, and even dead people.
It's not clear what led to the screening mishap, but emails found in the cache of exposed file show one security-cleared employee of AVPorts, a third-party operations provider that manages the airport, regularly downloaded the no-fly list from a secure Homeland Security portal.
A former head of the Transportation Security Administration (TSA) explained that both passengers and airport staff are checked against the no-fly list centrally, making it more difficult to slip through the cracks.
"All airline passengers are screened for the no-fly list automatically by TSA centrally when a flight reservation is made," said Kip Hawley, who helped to found the agency following the September 11 attacks. "It looks like the airport is supposed to screen badge-holders against the no-fly list, and maybe they weren't doing that so they got the notice of violation," he said.
But Hawley said that the so-called "insider threat" remains a concern.
One email seen by ZDNet showed that the airport was concerned about the issue following an arrest of a Long Island, NY resident, which resulted in the discovery of a counterfeit badge for LaGuardia airport. The email said that had staff not properly checked the badge, it may have allowed an uncleared person to enter the airport's secure area.
"Please keep in mind that this could happen at any airport and we must be vigilant," read the email sent by a senior security official at Stewart airport.
Federal agencies continue to put greater scrutiny on the security protocols and policies of smaller airports, including Stewart, in the wake of the threat posed by the so-called Islamic State.
Among the concerns are that potential fighters who try to join the terror group on the ground in Syria and Iraq may aim to travel through smaller, regional airports in order to avoid detection by the authorities.
One field intelligence note found among the exposed files, published by Homeland Security in April 2016, said terrorists "may continue to choose smaller airports... as preferred, more attractive departure points for foreign fighter travel," because security is perceived to be not as strict as larger international airports.
That makes the risks greater and the need to ensure tight security controls all the more important.
A review of various letters of investigation received by the airport over the past decade point to as many as 15 separate investigations carried out by the TSA each year as a result of security lapses at the airport.
TSA inspectors wrote in one letter of investigation in 2010 that some in the airport's corporate transit zone installed card readers that allowed direct access to the air operations area, a highly restricted area of the airside tarmac where aircraft depart, arrive, and maneuver.
Another letter of investigation from 2011 found an unsecured baggage carousel key, which provides direct access to the airport's secure area. The key was lent from a member of one airline's staff to another, but it was later left on a ticket counter when the airline staff returned the key.
And, a letter of investigation from mid-2012 detailed a list of multiple claimed violations, including unsupervised and unescorted access to non-cleared contractors and visitors to highly sensitive and restricted parts of the airport, known as security identification display areas.
But a concerted effort by the airport to improve security over the past three years has paid off.
One email sent by the airport's security manager earlier last year confirmed that the TSA had not sent any letters of investigation during 2015.
Also, a comprehensive security review by TSA inspectors in the same year concluded with no findings of concern, the email said.
A spokesperson for the TSA said: "The documents we've seen referenced appear to be copies of old inspection reports that demonstrate that TSA has been performing our mission of security oversight at the airport. When we find issues that need to be addressed we point them out and work with the airport to get them resolved."
A spokesperson the Port Authority of New York and New Jersey, which owns the airport, said its own networks were not compromised.
"AVPorts, an independent contractor that handles various airport functions including serving as security manager at Stewart International Airport, maintains a separate system for administering those responsibilities. Our investigation into AVPorts separate system is ongoing. The TSA findings in the documents in that system from several years ago were addressed at that time to the satisfaction of the TSA and are no longer relevant," the spokesperson said.
AVPorts did not respond to multiple requests for comment prior to publication.