Remember that lost memory stick from Heathrow Airport? The terrorist's wet dream? So does the ICO

Operator fined £120k by UK data watchdog

Heathrow Airport Limited (HAL) has been fined £120,000 by the UK's data watchdog for the loss of an unencrypted USB memory stick reportedly containing airport security data.

The device misplaced by a HAL employee, as reported by El Reg, was said to house a trove of documents including routes and timings of airport security patrols, ID required to access restricted areas, maps of CCTV cameras and even the Queen's exact route used each time she travelled there.

A member of the public found the stick, which was not password protected and the data not encrypted, on 16 October 2017 in West London. The contents were then viewed at a local library before being taken to a national newspaper, which recorded the data and returned the stick to HAL.

The Information Commissioner's Office (ICO) said today the stick contained 76 folders and more than 1,000 files, which of "particular concern" included the names, birth dates and passport numbers of 10 individuals and details of up to 50 HAL aviation security staff.

According to reports last autumn, 2.5GB of documents marked as "confidential" or "restricted" were discovered on the memory stick. These were security classifications replaced by central government years earlier. The ICO made no reference to this and told us it only investigates/ comments on cases of personal privacy.

"Data Protection should have been high on Heathrow's agenda," said ICO director of investigations Steve Eckersley. "But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise."

He said data safety is a "boardroom issue" and it is "imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them".

As part of its probe, the ICO discovered that just 2 per cent of the 6,500 workers at HAL had been trained in data protection. The ICO also noted "widespread" use of removable storage media that flouted HAL's internal policies and guidance, and sloppy controls over preventing staff downloading personal data onto unauthorised or unencrypted media.

The ICO said that, after being alerted to the embarrassing breach, HAL undertook numerous remedial actions that ranged from informing the cops to hiring a specialist to monitor the internet and dark web, presumably for evidence that the data was being posted or sold.

The case was managed under the provisions and maximum penalties of the Data Protection Act 1998. ®

Similar topics

Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022