Heathrow Airport Limited (HAL) has been fined £120,000 for serious data protection failings after a USB memory stick containing the personal details of employees and highly sensitive info on a visit by the Queen was lost last year.
UK privacy watchdog the Information Commissioner’s Office (ICO) subsequently found that just 2% of the airport’s 6500 staff had been trained in data protection.
The thumb drive in question was found by a member of the public on October 16 last year and handed to a national newspaper, which made a copy, before returning it to the airport.
The drive, which was neither encrypted nor password protected, apparently contained 76 folders and over 1000 files.
The number of employees who had data exposed was relatively small: 10 individuals’ names, dates of birth, passport numbers and other details were mentioned in a training video while 50 aviation security staff were also affected, according to the ICO. However, arguably more importantly, the thumb drive also contained details of security measures used to protect the Queen for an upcoming visit, the location of CCTV cameras and other highly sensitive info.
Aside from HAL’s oversight regarding training and awareness, the ICO also found widespread use of removable media at the airport, despite official policy to the contrary, and insufficient controls preventing data being downloaded to such devices.
The case was considered under the old data protection regime and not the GDPR because of the time frame involved.
“Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise,” said ICO director of investigations, Steve Eckersley.
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimize any vulnerabilities of the personal information that has been entrusted to them.”
Once informed of the incident, HAL is said to have promptly reported it to the police, worked to contain the issue and enlisted the help of a vendor to monitor the internet and dark web for signs of the data.
Peter Carlisle, VP EMEA, at Thales eSecurity argued that encryption is a must-have in today’s business environment.
“The impact of any data breach is dramatically minimized if encryption is used to protect data, as encrypted data is of no value to thieves or hackers,” he added.