Heathrow Airport fined £120,000 over USB data breach debacle

In a prime example of data protection failure, a USB containing sensitive information ended up in the hands of the public.
Written by Charlie Osborne, Contributing Writer

Heathrow Airport has been fined £120,000 by regulators following an embarrassing data breach caused by a USB stick.

The London-based airport, which is the busiest in the United Kingdom, was left red-faced after an employee lost a USB stick containing 76 folders and over 1,000 confidential files.

The storage device, which contained the names, dates of birth, passport numbers, and other details relating to individuals and aviation security staff, was discovered by a member of the public in October last year.

After rummaging through the USB at a public library, the individual handed over the USB stick to the press.

See also: UK issues first-ever GDPR notice in connection to Facebook data scandal

The information was not protected or encrypted. After a newspaper took a copy of the information, the USB was returned to the airport -- but the loss of the information in the first place did not go unnoticed by the UK Information Commissioner's Office (ICO).

On Monday, the ICO said that Heathrow Airport has to pay a fine of £120,000 for allowing the security incident to take place and for failing to ensure that the "personal data held on its network was properly secured."

"Data protection should have been high on Heathrow's agenda," said ICO Director of Investigations Steve Eckersley. "But our investigation found a catalog of shortcomings in corporate standards, training, and vision that indicated otherwise."

While Heathrow took action to monitor potential data leaks online caused by the breach, during its investigation, the ICO discovered that only two percent of Heathrow Airport's 6,500-strong staff base has been trained in data protection.

TechRepublic: Why 31% of data breaches lead to employees getting fired

Fines for modern data breaches are going to be issued under the EU's General Data Protection Regulation (GDPR), rather than the older Data Protection Act 1998, if they occurred after May 25, 2018.

The Data Protection Act permits a maximum fine of £500,000, whereas GDPR can be used by regulators to issue a penalty of up to €20 million or four percent of turnover, whichever is greater.

The penalty for this security incident was issued under the previous rules. However, if Heathrow Airport wishes to avoid potentially higher fines in the future, now is the time to invest in data protection training.

CNET: Macy's breach exposed customer data, credit card numbers

"Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures, and training in place to minimize any vulnerabilities of the personal information that has been entrusted to them," Eckersley said.

A Heathrow Airport spokesperson told ZDNet:

Following this incident the company took swift action and strengthened processes and policies. We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved. We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented including the start of an extensive, information security training programme which is being rolled out companywide.

We take our compliance with all laws extremely seriously and operate within the stringent regulatory and legal requirements demanded of us."

How to spot a fake ICO (in pictures)

Previous and related coverage

Editorial standards