Credit: ID 3661968 © Dmitry Bomshtein | Dreamstime.com
UK privacy watchdog, the Information Commissioner’s Office (ICO), has fined Heathrow Airport £120,000 (AUD $223,000) over a USB stick containing sensitive airport security information that was found on a street in London by a member of the public last October.
The person who fount the USB stick went to a local library, plugged the device into one of its computers, and discovered that about 1,000 files from the airport that were not encrypted or password protected.
A week later the person handed the USB stick to the Sunday Mirror, which reported the device contained 2.5GB of data, including maps, videos, documents detailing security procedures to guard Europe’s busiest airport against terror attacks.
The files also detailed the route the Queen takes when she uses the airport, types of ID needed to access restricted areas, maps that locate CCTV cameras and escape tunnels, and routes used by politicians and foreign dignitaries.
While the information was highly sensitive to airport and national security, the ICO’s response focussed on the one percent of information on the thumb drive that contained personal data.
The key file was a portion of a video file with about three seconds of footage of a page from an open ring binder showing details of 10 people who were part of an unnamed greeting party, and between 12 and 50 Heathrow aviation security personnel.
Exposed details in the video included names, birth dates, registration numbers, nationality, passport numbers and expiry dates, job titles and mobile numbers.
The ICO said it accepted Heathrow Airport’s argument the information was not readily searchable, but the commissioner “considered that a motivated individual could locate and extract the data in a more permanent form”, namely a screenshot.
The Sunday Mirror contacted Heathrow Airport and handed the USB drive back to it, but declined to hand over a copy that it had taken.
Police however confirmed the library computer used to view the USB stick files were not retained on the computer, according to the ICO.
Heathrow Airport investigators determine the data an employee security trainer who was in a “relatively junior position” put the data on the thumb drive and lost it during a work commute, according to the ICO.
After the incident, Heathrow Airport hired "third-party specialists” to monitor the dark web and internet for signs the exposed details were being sold online. So far, it seems they haven’t been, according to the ICO.
But the hefty fine was issued for what the ICO saw as serious deficiencies in the airport's data security practices.
Read more: EU parliament overwhelmingly backs recommending a ban on Kaspersky products
Quoting from Heathrow Airport’s investigation report, the ICO said “there are no technical barriers to employees uploading sensitive data to removable devices and colleagues across many areas of the airport are using a combination of personal Heathrow issued data sticks in order to port files between locations and devices”.
The airport also had no way to say whether personal data had been transferred to external drives in the past.
Even though the airport's intranet site advised staff to “put sensitive files on removable media only when necessary” and to “keep removable media secure”, the ICO found this act was insufficient to ensure staff knew of its policies.
Following the investigation, Heathrow Airport itself estimated that only two percent of its 6,500 employees had received data protection training and that this training was not available to the role of the employee involved in the breach.
As such, the ICO decided that Heathrow Airport’s personal data protection measures were lacking due to technical and organizational failures.
Specifically, the airport couldn’t prevent staff from downloading data onto unauthorized and unencrypted media; it failed to prevent staff from removing personal data from airport systems; it had no record or control over the number of devices used containing personal data; and it failed to provide sufficient training for staff on data protection and information security.
The commissioner of the ICO has the authority to issue fines of up to £500,000.