Heathrow airport has been fined £120,000 by the Information Commissioner’s Office (ICO) for a data breach after an employee lost a USB flash drive containing sensitive information.
According to the ICO, a member of the public found the USB stick in October last year. The device contained 76 folders with more than 1,000 files and was not encrypted or password protected.
The ICO says the person who found the USB stick was able to view the information at a local library.
Although the amount of personal data held on the device comprised “a small amount of the total files”, the ICO was particularly concerned about a training video that exposed the names, dates of birth and passport numbers of ten individuals, as well as the details of up to 50 Heathrow Airport Limited aviation security personnel.
The finder then passed the USB stick to a national newspaper, which was able to make copies of the data before returning the device to the airport.
During its investigation the ICO found only 2 per cent of Heathrow’s 6,500 employees were trained in data protection.
The ICO says it was also concerned by the widespread use of removable storage media “in contravention” of the airport’s own policies and guidance. It also found a lack of effective controls to prevent personal data from being downloaded onto unauthorised or unencrypted media.
However, Heathrow did take actions once it was made aware of the breach, including informing the police, working to contain the incident and engaging a third party specialist to monitor the internet and dark web.
An earlier report in the Mirror newspaper claimed the USB stick contained national security details such as a timetable of patrols that was used to guard the airport against terror attacks and the exact route the Queen took when using the airport. However, the ICO would not confirm if this information was leaked or not.
Steve Eckersley, director of investigations at the ICO, said: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”
According to the BBC, a spokeswoman for Heathrow airport said: “We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented, including the start of an extensive information security training programme which is being rolled out company-wide.”