ICO fines Heathrow over USB stick fiasco

Airport hit with £120,000 penalty for failing to secure personal data within its network

USB stick next to keyboard

Heathrow Airport has been accused of a "catalogue of shortcomings" and fined 120,000 by the ICO over data protection failings.

The ICO began an investigation into the airport after a member of the public found a USB stick which had been lost by a Heathrow employee in October last year.

The stick, which contained 76 folders and more than 1,000 files, was neither encrypted nor password protected, which allowed the member of the public to view its contents at a local library.

Advertisement - Article continues below

"Data Protection should have been high on Heathrow's agenda," said the ICO's director of investigations, Steve Eckersley. "But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.

"Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them."

Although the amount of sensitive and personal data held on the stick comprised a small amount of the total files, the ICO said it was concerned about a training video, which exposed the details of 10 individuals. The information included their names, dates of birth, passport numbers and the details of up to 50 other Heathrow aviation security personnel.

Advertisement
Advertisement - Article continues below

The leak became public knowledge when the stick was passed to a national newspaper, which took copies of the data before giving the stick back to Heathrow Airport Ltd (HAL). A number of standard remedial actions were taken by HAL once it was informed of the breach, such as reporting the matter to the police and engaging a third-party specialist to monitor the internet and the dark web.

Advertisement - Article continues below

However, the ICO's investigation found further evidence that HAL's staff were not up to scratch with just two percent of the 6,500-strong workforce having received data protection training.

Other concerns noted during the investigation included the widespread use of removable media in contradiction of HAL's own policies and guidance, as well as ineffective controls preventing personal data from being downloaded onto unauthorised or unencrypted media.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/security/data-breaches/355173/marriott-hit-by-data-breach-exposing-personal-data-of-52-million
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020