Heathrow Airport Fined For Data Security Breach

The operator of London’s Heathrow Airport has been fined GBP£120,000 (USD$156,500) by a UK data privacy regulator for failing to ensure that personal data held on its network was properly secured.

The Information Commissioner’s Office (ICO) fine was for a 2017 incident when an employee of Heathrow Airport lost a USB memory stick that was subsequently found by a member of the public.

The stick held 76 folders with over 1,000 files, some of which contained personal information including names, dates of birth and passport numbers of a number of airport employees. The data was neither encrypted nor password protected, the ICO said.

The person who found the stick viewed it before handing it over to a national newspaper which took copies of the data before giving it back to the airport operator.

The regulator said that although the personal data held on the stick made up only a small amount of the total files, it was particularly concerned about a training video which exposed ten individuals’ details, and the details of up to 50 aviation security personnel at the airport.

“Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise,” ICO Director of Investigations, Steve Eckersley said.

The ICO investigation found that only two percent of the 6,500-strong workforce had been trained in data protection.

Other concerns included the widespread use of removable media in contravention of the company’s policies and guidance, and ineffective controls preventing personal data from being downloaded onto unauthorised or unencrypted media.

Heathrow Airport said it had carried out remedial action when it was informed of the breach including reporting the matter to the police, acting to contain the incident and engaging a third party specialist to monitor the internet and dark web.