Heathrow Airport Limited (HAL) has been fined £120,000 by the UK's data watchdog for the loss of an unencrypted USB memory stick reportedly containing airport security data.
The device misplaced by a HAL employee, as reported by El Reg, was said to house a trove of documents including routes and timings of airport security patrols, ID required to access restricted areas, maps of CCTV cameras and even the Queen's exact route used each time she travelled there.
A member of the public found the stick, which was not password protected and the data not encrypted, on 16 October 2017 in West London. The contents were then viewed at a local library before being taken to a national newspaper, which recorded the data and returned the stick to HAL.
The Information Commissioner's Office (ICO) said today the stick contained 76 folders and more than 1,000 files, which of "particular concern" included the names, birth dates and passport numbers of 10 individuals and details of up to 50 HAL aviation security staff.
According to reports last autumn, 2.5GB of documents marked as "confidential" or "restricted" were discovered on the memory stick. These were security classifications replaced by central government years earlier. The ICO made no reference to this and told us it only investigates/ comments on cases of personal privacy.
"Data Protection should have been high on Heathrow's agenda," said ICO director of investigations Steve Eckersley. "But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise."
He said data safety is a "boardroom issue" and it is "imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them".
As part of its probe, the ICO discovered that just 2 per cent of the 6,500 workers at HAL had been trained in data protection. The ICO also noted "widespread" use of removable storage media that flouted HAL's internal policies and guidance, and sloppy controls over preventing staff downloading personal data onto unauthorised or unencrypted media.
The ICO said that, after being alerted to the embarrassing breach, HAL undertook numerous remedial actions that ranged from informing the cops to hiring a specialist to monitor the internet and dark web, presumably for evidence that the data was being posted or sold.
The case was managed under the provisions and maximum penalties of the Data Protection Act 1998. ®