It’s not every day when you see an airport coming under heat for security reasons. London’s Heathrow, one of the busiest airports in the world would be the last place you’d expect to be surrounded by security issues.
Recently, an ICO has fined the airport with £120,000 penalty for a data breach. The airport was accused of “catalog of shortcomings” over failing to secure data.
The investigation was started by the ICO after an airport member found a USB stick. This USB stick was misplaced by a Heathrow employee in October 2017.
The USB drive contained over a thousand files in 76 folders and did not feature any encryption or password protection. This allowed the member to view the contents of the drive at a local library.
Steve Eckersley, Director of Investigations for the ICO said
“Data protection should have been high on Heathrow’s agenda. But our investigation found a catalog of shortcomings in corporate standards, training and vision that indicated otherwise.”
He further commented
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures, and training in place to minimize any vulnerabilities of the personal information that has been entrusted to them.”
Although there wasn’t a sizable sensitive and personal data on the stick, the ICO was concerned about a training video which exposed personal details of 10 individuals. The information that was leaked included names, date of birth, passport numbers and details of 50 Heathrow aviation security personnel.
The leak came to light when its contents were shared with a national newspaper. The news outlet took copies of the data before returning the stick to Heathrow Airport Ltd. (HAL). Once the organization was informed about the leak, standard procedures were followed that including police reporting and hiring of a third-party to monitor the internet and the dark web.
Heathrow’s Security Concerns
The investigation carried out by the ICO found that out of the staff of 6,500, only two percent of HAL’s staff has received formal data protection training.
There were further concerns over the use of removable media which violated HAL’s own policies. This also included inefficient methods to prevent personal data from being used and downloaded onto unauthorized and unencrypted media.