The ICO (Information Commissioner’s Office) has fined Heathrow Airport £120,000 for failing to secure sensitive personal data after a member of public found an unencrypted USB stick containing data about the airport’s staff.
The data affected:
The ICO penalty notice said:
[T]he stick held a training video containing names, dates of birth, vehicle registrations, nationality, passport numbers and expiry, roles and mobile numbers of 10 individuals involved in a particular greeting party, and also details of between 12 and 50 (exact number unconfirmed) Heathrow aviation security personnel, including names, job titles and identification of two individuals who were trade union members or chairs.
This data was “erroneously captured” during a three-second portion of the video, when a page from an open ring binder containing the information briefly appeared on screen. The notice went on to say:
[G]iven the way [the personal data] was captured and displayed, [it] would not be readily available or searchable, but [the Information Commissioner] considers that a motivated individual could locate and extract the data in a more permanent way, for example by way of screenshot.
In total, the memory stick contained more than 1,000 files, but just 1% of the contents comprised personal data. At the time of the breach, reports claimed that data on the stick also included the Queen’s travel itinerary. However, the ICO hasn’t confirmed this.
How did the data breach occur?
Newspaper reports claim that the USB stick was found in London on 16 October 2017, and that the person who found the stick viewed the contents on a library computer before passing it to the Sunday Mirror. The newspaper copied the data before returning the stick to Heathrow Airport.
Subsequent investigations undertaken by the ICO have found that just 2% of Heathrow’s 6,500 staff were properly trained in data protection. ICO Director of Investigations, Steve Eckersley said:
Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise. […] Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.
Heathrow Airport has been fined under the old data protection rules, under which the maximum penalty was £500,000. Had they been penalised under the Data Protection Act 2018, it could have risked the maximum penalty of 4% of its global annual turnover.
Heathrow could have mitigated the risk if information security training had been consistently provided for staff and procedures had been properly followed. Make sure that staff training is on your agenda and that you and your organisation are #BreachReady.