The Information Commissioner’s Office (ICO) has issued a monetary penalty of £120,000 on Heathrow Airport under the 1998 Data Protection Act for failing to prevent the loss of personal data in October last year.
In October last year, a man found an abandoned memory stick in Ilbert Street which, after careful examination, was found containing secret information on restricted routes for the Queen, politicians, and dignitaries, but also escape routes for the Heathrow Express railway.
If a malicious actor gained access to the memory stick, he would also have learned about all the IDs required to access restricted areas of the airport. He would also have learned about the locations of all CCTV cameras in and around the world’s busiest airport and details about an ultrasound radar system that scanned all roads and runways. Most of the data stored in the memory stick were unencrypted.
Heathrow’s data security practices were ineffective
Following the discovery of the memory stick, Heathrow said that it had launched an internal investigation to understand how the data got leaked and to prevent a similar occurrence in the future. However, concerns remained on who else accessed the memory stick and if the information stored in it was used by malicious actors for nefarious purposes.
According to the ICO, the memory stick also contained ten individuals’ details including names, dates of birth, passport numbers, and the details of up to 50 HAL aviation security personnel, thereby confirming that aside from sensitive details about airport security, personal data of Heathrow employees had also been compromised.
While investigating the breach and Heathrow’s cyber security protocols, the ICO noted that only two percent of the 6,500-strong workforce at the airport had been trained in data protection, that despite having policies that restricted the use of removable media, Heathrow allowed the widespread use of such devices, and that Heathrow had ineffective controls preventing personal data from being downloaded onto unauthorised or unencrypted media.
“Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise. Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them,” said Steve Eckersley, Director of Investigations at the ICO.
“Following this incident, the company took swift action and strengthened processes and policies. We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved,” said a Heathrow spokeswoman.
“We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented, including the start of an extensive information security training programme which is being rolled out company-wide,” she added.
Multiple fines issued under 1998 DPA
The fine issued to Heathrow was the second such fine issued by the ICO in as many weeks under the 1998 Data Protection Act. Health insurance company Bupa was also fined £175,000 recently for failing to prevent a massive data breach last year that compromised personal information of up to 108,000 international health insurance customers.
The breach took place when a malicious employee at Bupa gained access to the company’s customer relationship management system (“SWAN”) that stored personal information of 1.5 million customers, misused his privileged access to steal data of 108,000 customers and then put up the data for sale on the dark web.
Similarly, the ICO also fined Greenwich University £120,000 in May for failing to prevent the breach of personal data of nearly 20,000 students, staff and alumni. The University had failed to shut down a 14-year old microsite that contained personal details of 19,500 students, staff, and alumni such as “information on extenuating circumstances, details of learning difficulties and staff sickness records”.