Heathrow Airport Fined £120,000 for Lost USB Storage DrivePrivacy Regulator Cites Data Protection 'Catalog of Shortcomings'
The U.K.'s largest airport has been slammed by the country's privacy watchdog for a series of missteps that led to a USB memory drive containing highly sensitive information being lost on a London city street, where it was found by a passerby.
On Monday, the Information Commissioner's Office announced that it was fining Heathrow Airport Limited £120,000 ($155,000) under the Data Protection Act 1998, which was in effect at the time of the breach.
"Data protection should have been high on Heathrow's agenda. But our investigation found a catalog of shortcomings in corporate standards, training and vision that indicated otherwise," says Steve Eckersley, the ICO's director of investigations. "Data protection is a boardroom issue, and it is imperative that businesses have the policies, procedures and training in place to minimize any vulnerabilities of the personal information that has been entrusted to them."
Heathrow is owned and operated by BAA Limited, which also owns or operates six other U.K. airports and itself is owned by an international group led by the Spanish Ferrovial Group.
"Following this incident, the company took swift action and strengthened processes and policies," a Heathrow spokeswoman tells Information Security Media Group. "We accept the fine that the ICO have deemed appropriate, and we have spoken to all individuals involved. We recognize that this should never have happened and would like to reassure everyone that necessary changes have been implemented, including the start of an extensive information security training program, which is being rolled out companywide. We take our compliance with all laws extremely seriously and operate within the stringent regulatory and legal requirements demanded of us."
Lost and Found: USB Memory Stick
The USB memory stick was lost by a Heathrow employee and found by a member of the public on Oct. 16, 2017, who viewed its contents on a library computer. None of the data stored on the device was encrypted or password-protected, the ICO says. The individual then passed the device to the Sunday Mirror, a national newspaper. The newspaper made copies of the information and then returned the device to Heathrow.
The ICO says the USB memory stick required no password and encrypted none of the data it was storing, in violation of Heathrow's own data protection policies.
"Although the amount of personal and sensitive personal data held on the stick comprised a small amount of the total files, of particular concern was a training video which exposed 10 individuals' details, including names, dates of birth, passport numbers and the details of up to 50 HAL aviation security personnel," the ICO says.
"The information was visible for approximately three seconds within the video wherein a page of an open ring binder (containing the information) was erroneously captured by the video," the ICO says in the partially redacted monetary penalty notice (PDF) that summarizes the results of its investigation and explains the commissioner's decision.
Heathrow reported the lost device to police on Oct. 26, 2107, the ICO says. The first media report about the data breach appeared on Oct. 29, 2017. "Terror threat as Heathrow Airport security files found dumped in the street," the Sunday Mirror reported, noting that the information included "the exact route the Queen takes when using the airport and security measures used to protect her" as well as a timetable of airport patrols.
The next day, the ICO made inquiries to the airport, after which Heathrow submitted a formal breach notification on Nov. 7, 2017.
Breach Traced to Security Trainer
The ICO says that Heathrow's own investigation found that a relatively junior employee - ironically, a security trainer - had put the training video onto the USB stick. "It appears from HAL's investigation that the USB stick was lost in transit when the staff member was communing to or from their place of work," the ICO says. Heathrow suspended the staff member while it conducted its internal investigation, the ICO says.
"[Heathrow's] data protection manager made 'thought-based determinations' as to which groups of employees had the greatest exposure to personal data and [devised] a strategy for training accordingly."
Following the incident, Heathrow on Oct. 31, 2017, "a companywide instruction was issued directing staff to locate any memory sticks in their possession, delete any files contained on the device and then transfer the data or destroy the device according to advice provided by HAL's IT department," the ICO says.
The ICO says Heathrow also notified other regulatory and advisory agencies and contracted with "third-party specialists to monitor the internet and the 'dark web' for indicators that the breach had spread further or that documents were being traded online."
The airport has told the ICO that there is no indication that information was ever accessed by anyone other than the individual who found the USB device or the newspaper.
Security Training Deficiencies
The ICO report catalogs a number of information security polices and guidance issued by Heathrow, recommending that employees avoid or minimize their use of USB sticks whenever possible. At one point prior to the data breach, Heathrow had also advised employees: "Only use encrypted removable devices (e.g. USBs) approved by Heathrow and only use them if there's no alternative."
But the ICO says such guidance was not enforced and was poorly promulgated.
"HAL informed the commissioner that its data protection manager made 'thought-based determinations' as to which groups of employees had the greatest exposure to personal data and a strategy for training devised accordingly," the ICO says. "HAL estimated that only 2 percent of its 6,500 employees had received data protection training, being those deemed to be at greatest risk of exposure to personal data. It also confirmed that such training was not in place for security trainers, including the staff member involved in the incident."
At the time of the incident, Heathrow had technical controls in place to prevent unauthorized access to data, but not to prevent individuals with data access from storing it on unencrypted removable media, the ICO says.
Data Protection Act
The Heathrow Airport breach occurred while the country's old Data Protection Act was in effect, which allowed for a maximum fine of £500,000 ($660,000). ICO levied that maximum fine last month against Equifax after investigating its 2017 data breach (see Equifax Hit With Maximum UK Privacy Fine After Mega-Breach).
The ICO had also levied £400,000 ($520,000) fines against three organizations: TalkTalk and Carphone Warehouse, both of which suffered serious data breaches, as well as against Keurboom Communications Ltd, which made nearly 100 million nuisance calls.
All breaches that occur in the U.K. from May 25 onward fall not only under the EU's General Data Protection Regulation, which came into full effect on that date, but also the country's Data Protection Act 2018, which imposes additional data security requirements on organizations. It also gives the ICO the ability to impose the maximum fines allowed under GDPR.
Organizations that fail to comply with GDPR's privacy requirements face fines of up 4 percent of their annual global revenue or €20 million ($23 million), whichever is greater. Organizations that fail to comply with GDPR's reporting requirements also face a separate fine of up to €10 million ($12 million) or 2 percent of annual global revenue (see GDPR Effect: Data Protection Complaints Spike).