Heathrow Airport has been fined £120,000 (U.S. $158,000) after an unencrypted USB memory stick, which may have contained details about the Queen’s travel plans, was discovered in October on a street in London.

The memory stick belonged to a Heathrow Airport employee and contained 76 folders and more than 1,000 files—none of which was encrypted or password protected. The person who found it viewed the material it contained at a local library and passed it on to a national newspaper (The Sunday Mirror), which copied the data before passing it back to the company five days later.

Heathrow Airport—Europe’s busiest and the seventh-busiest in the world—then reported the matter to the police and hired a third-party specialist to monitor the internet and dark Web to see if the data had been sold or made public. It also instructed all employees to locate any memory sticks in their possession, delete the data on them, and then destroy the devices themselves.

The company, however, failed to inform the U.K.’s data regulator of the breach. The Information Commissioner’s Office (ICO) only became aware of the matter when the newspaper ran the story on 29 October 2017. It contacted Heathrow Airport the following day.

“Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training, and vision that indicated otherwise.”
Steve Eckersley, Director of Investigations, ICO

The ICO has not confirmed whether the device did contain details about the Queen’s travel arrangements as reported in the original newspaper story, and Heathrow Airport has not commented. But the regulator has confirmed that it views the breach seriously.

The ICO has said that although the amount of personal and sensitive data held on the stick comprised a small amount of the total files (less than one percent), the fact that it also contained a training video which—in just a three-second segment—exposed 10 individuals’ details (including names, dates of birth, passport numbers) and the details of up to 50 aviation security personnel was of “particular concern.”

The ICO’s director of investigations, Steve Eckersley, said: “Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training, and vision that indicated otherwise. Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures, and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”

The ICO investigation found that only two percent of the 6,500-strong workforce had been trained in data protection, and that the company’s data protection policies were ineffective and widely ignored. The regulator found that there was “widespread” use of removable media such as USB sticks and other devices, which was in contravention of the airport’s own policies and guidance, and “ineffective controls” preventing personal data from being downloaded onto unauthorised or unencrypted media.

Useful Weblinks

IT security top tipshttps://ico.org.uk/for-organisations/guide-to-data-protection/it-security-top-tips/
A practical guide to IT securityhttps://ico.org.uk/media/for-organisations/documents/1575/it_security_practical_guide.pdf
Bring your own devicehttps://ico.org.uk/media/for-organisations/documents/1563/ico_bring_your_own_device_byod_guidance.pdf

The ICO also found that the airport operator had no way of determining just how much data could have been transferred to USB sticks or other devices in the past, or by whom, despite implementing an “acceptable use policy” in May 2017—just five months before the breach was uncovered.

In its judgment, the ICO said that “given that Heathrow Airport Limited is Europe’s busiest airport, where high-level security should be inherent, loss or unauthorised disclosure of personal data of staff could have presented a greater risk if found by individuals who had not handled the data responsibly.”

Since the breach occurred in 2017 before the EU General Data Protection Regulation (GDPR) came into force, the case was dealt with under the provisions and maximum penalties of the Data Protection Act 1998, which are not as punitive. Under the 1998 Act, the maximum financial penalty is £500,000 (U.S. $659,609). For any breach occurring after May 2018, however, the ICO can impose a civil monetary penalty on a data controller of up to £17 million (U.S. $22.4 million) or 4 percent of global turnover.

A Heathrow spokesperson said in a statement: “Following this incident the company took swift action and strengthened processes and policies. We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved. We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented including the start of an extensive, information security training programme which is being rolled out companywide.”

It added: “We take our compliance with all laws extremely seriously and operate within the stringent regulatory and legal requirements demanded of us.”

If the airport operator agrees to pay the fine by 5 November 2018, it can expect a 20 percent reduction in the penalty—paying just £96,000 (U.S. $126,000) rather than £120,000 (U.S. $158,000).