ICO hits Heathrow Airport with £120,000 data breach fine over lost USB stick

Heathrow Airport has begun a company-wide information security training programme for its staff after being hit with a £120,000 data breach fine by the Information Commissioner’s Office (ICO).

The data protection watchdog handed down the fine after an unencrypted USB stick belonging to a junior staff member was found by a member of the public. It contained sensitive personal data pertaining to an unconfirmed number of people working at the airport.

“In particular, the stick held a training video containing names, dates of birth, vehicle registrations, nationality, passport numbers and expiry, roles, and mobile numbers of 10 individuals involved in a particular greeting party, and also details of between 12 and 50 (exact number unconfirmed) Heathrow aviation security personnel, ” the ICO penalty notice said.

This information was “erroneously captured” during a three-second portion of the video, when a page from an open ring binder containing the information briefly appeared on screen.

“Given the way the data was captured and displayed, it would not be readily available or searchable, but [the information commissioner] considers that a motivated individual could locate and extract the data in a more permanent way,” the notice said.

Although the USB stick contained more than 1,000 files overall, just 1% of this information could be classified as being personal in nature. Also, a subsequent investigation by the ICO revealed less than 2% of the airport’s 6,500-strong workforce had received data protection training.  

“Given that Heathrow Airport is Europe’s busiest airport, where high-level security should be inherent, loss or unauthorised disclosure of personal data of staff could have presented a greater risk if found by individuals who had not handled the data responsibly,” the penalty notice said.

“Taking into account all of the above, the commissioner has decided that the penalty is £120,000.”

According to the report, the USB stick was found in Kilburn, west London, on 16 October 2017, before being handed in to a national newspaper 10 days later, which – it is claimed – took a copy of its contents and returned it to the airport on 27 October.  

The ICO became aware of the matter on 30 October, after reports of the breach first appeared in the media. In turn, it then contacted Heathrow for further information, and the airport submitted a completed ICO breach notification form on 7 November 2018.

In a statement to Computer Weekly, a spokesperson for Heathrow Airport said that in response to being notified of the breach, it had taken swift action to strengthen its data protection processes and policies.

“We accept the fine that the ICO has deemed appropriate and spoken to all individuals involved,” it said. “We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented, including the start of an extensive information security training programme, which is being rolled out company-wide.

“We take our compliance with all laws extremely seriously and operate within the stringent regulatory and legal requirements demanded of us.”

Steve Eckersley, director of investigations at the ICO, said: “Data protection should have been high on Heathrow’s agenda, but our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.

“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”