Heathrow Airport fined by Information Commissioner’s Office (ICO) following Queen’s travel plans are exposed. | Serious failings in airport’s data protection processes prompts £120,000 fine. The ICO has fined Heathrow Airport Limited (HAL) £120,000 by for failing to secure personal data held on its network. In October 2017 a USB memory stick containing over 1,000 unencrypted files was lost by a HAL employee. The memory stick, which was later found by a member of the public, was not password protected. The finder viewed the material it contained at a local library, before passing the stick to The Daily Mirror. The newspaper said the USB stick was discovered in Ilbert Street in Queen’s Park, west London. It reportedly contained information such as security measures used to protect the Queen at Europe’s busiest airport. Also, the types of ID required to access restricted areas, and the locations of CCTV cameras. The newspaper took copies of the data before returning the stick to Heathrow Airport. The official line….
“Heathrow Airport fined for failing to ensure that the personal data held on its network was properly secured.”
ICO Director of Investigations, Steve Eckersley, said:
Heathrow Airport has been fined £120,000 after a data leak reportedly revealing details about the Queen’s travel plans sparked a major investigation.
The Information Commissioner’s Office handed out the fine after a member of the public found a USB memory stick which had been lost by a “rogue” member of Heathrow staff. The ICO said it contained a training video containing personal details of 10 individuals “involved in a particular greeting party”. Details of up to 50 Heathrow security personnel were also stored on the device. Following the fine, ICO director of investigations, Steve Eckersley, said:
Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise. Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.
Inadequate training and data protection controls
Only 2% of the 6,500-strong workforce had received data protection training, according to the ICO investigation. The ICO raised other concerns during the investigation. These included the widespread use of removable media in contravention of Heathrow’s own policies. Also lack of guidance and ineffective controls preventing personal data from being downloaded onto unauthorised or unencrypted media. Since being informed of the breach, HAL has implemented a number of remedial actions including:
reporting the matter to the police;
acting to contain the incident, and;
engaging a third party specialist to monitor the internet and dark web.
A spokesperson for Heathrow Airport said:
Following this incident the company took swift action and strengthened processes and policies. We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved. We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented including the start of an extensive, information security training programme which is being rolled out company-wide…
The case was dealt with under the provisions and maximum penalties of the Data Protection Act 1998, and not the 2018 Act which has replaced it, because of the date of the breach.