The Information Commissioner’s Office (ICO) has issued Heathrow Airport with a £120,000 fine for failing to protect personal data after a member of the public found a USB stick lost by an employee in October last year.
The USB drive contained 76 folders and over 1,000 files, including a training video that exposed the names, dates of birth and passport numbers of ten individuals. It also contained the details of up to 50 Heathrow Airport aviation security personnel.
The files were not encrypted or password-protected.
The member of the public, who found it on 16 October 2017, viewed the contents of the USB at a local library.
The person then handed it to the Sunday Mirror, who reported that the storage device showed the exact route the Queen takes when using the airport, as well as the security measures used to protect her.
ICO Director of Investigations, Steve Eckersley, said:
“Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”
Heathrow fine: No GDPR?
The breach occurred before Europe’s General Data Protection Regulation (GDPR) came into force on 25 May this year. Instead, the Heathrow fine fell under the remit of the Data Protection act 1998, which threatens a maximum fine of £500,000.
Under GDPR, fines can be as high as €20m or 4% of global annual turnover.
“This is a reminder that failure with cybersecurity will cost a company money,” said Joseph Carson, chief security scientist at cyber security company Thycotic.
“Luckily for Heathrow Airport Limited they have escaped a potential major fine and this is more a slap on the wrist as compared to the recent fine given to Tesco Bank for failing to protect account holders from a cyberattack.”
In their investigation, the ICO found that only 130 people out of the 6,500-strong staff at Heathrow had been trained in data protection.
The investigation also found that the breach contravened Heathrow Airports’ policy surrounding personal data and unencrypted storage devices.
In response to the breach, Heathrow Airport hired a third party specialist to ensure the compromised files did not end up on the internet and dark web.
They also reported the incident to the police.
“Organisations who are entrusted to protect personal data need to prioritise cybersecurity with a focus on privileged access management, encryption, cyber awareness training, multi-factor authentication and strong incident response readiness,” added Carson.
Heathrow is the UK’s busiest airport, with 78 million passengers passing through it in 2017.