Heathrow Fined £120,000 Over Lost USB Stick

Heathrow Airport said it has begun a company-wide data security training programme after the Information Commissioner’s Office (ICO) fined it £120,000 over an embarrassing data breach last year.

The ICO said an unencrypted USB stick belonging to a junior Heathrow staff member was found by a member of the public.

The stick contained sensitive personal data on people working at the airport.

“The stick held a training video containing names, dates of birth, vehicle registrations, nationality, passport numbers and expiry, roles, and mobile numbers of 10 individuals involved in a particular greeting party, and also details of between 12 and 50 (exact number unconfirmed) Heathrow aviation security personnel, ” the ICO said in its penalty notice.

Data capture

The information was captured “erroneously” during a portion of the video in which a page from an open ring binder containing the data appeared on screen.

“Given the way the data was captured and displayed, it would not be readily available or searchable, but (the information commissioner) considers that a motivated individual could locate and extract the data in a more permanent way,” the ICO said.

Only 1 percent of the more than 1,000 files on the stick were classified as being personal in nature. The ICO found that less than 2 percent of the airport’s staff had received data protection training.

“Given that Heathrow Airport is Europe’s busiest airport, where high-level security should be inherent, loss or unauthorised disclosure of personal data of staff could have presented a greater risk if found by individuals who had not handled the data responsibly,” the ICO said.

The stick was reported at the time to also contain details of security arrangements at Heathrow, but the ICO did not confirm this.

The stick was recovered on 16 October 2017 in Kilburn, west London, and was reportedly viewed in a local library before being handed to a national newspaper 10 days later. The newspaper made copies of the information before returning it to Heathrow on 27 October, according to the ICO.

The ICO became aware of the affair only on 30 October, when media reports first appeared. It contacted Heathrow, which then submitted a breach notification report on 7 November.

Policy improvements

Heathrow said it has since improved its data security policies.

“We accept the fine that the ICO has deemed appropriate and spoken to all individuals involved,” the airport said in a statement. “We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented, including the start of an extensive information security training programme, which is being rolled out company-wide.

“We take our compliance with all laws extremely seriously and operate within the stringent regulatory and legal requirements demanded of us.”

ICO director of investigations Steve Eckersley said the ICO had found numerous “shortcomings” in Heathrow’s policies.

“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them,” he said.

The case was handled under data protection legislation that was superseded by the GDPR in May of this year, instituting much higher potential financial penalties.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

3 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

4 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

4 days ago