Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Remember that lost memory stick from Heathrow Airport? The terrorist's wet dream? So does the ICO

Operator fined £120k by UK data watchdog

Paul Kunert Mon 8 Oct 2018  //  14:10 UTC

Heathrow Airport Limited (HAL) has been fined £120,000 by the UK's data watchdog for the loss of an unencrypted USB memory stick reportedly containing airport security data.

The device misplaced by a HAL employee, as reported by El Reg, was said to house a trove of documents including routes and timings of airport security patrols, ID required to access restricted areas, maps of CCTV cameras and even the Queen's exact route used each time she travelled there.

A member of the public found the stick, which was not password protected and the data not encrypted, on 16 October 2017 in West London. The contents were then viewed at a local library before being taken to a national newspaper, which recorded the data and returned the stick to HAL.

The Information Commissioner's Office (ICO) said today the stick contained 76 folders and more than 1,000 files, which of "particular concern" included the names, birth dates and passport numbers of 10 individuals and details of up to 50 HAL aviation security staff.

According to reports last autumn, 2.5GB of documents marked as "confidential" or "restricted" were discovered on the memory stick. These were security classifications replaced by central government years earlier. The ICO made no reference to this and told us it only investigates/ comments on cases of personal privacy.

"Data Protection should have been high on Heathrow's agenda," said ICO director of investigations Steve Eckersley. "But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise."

He said data safety is a "boardroom issue" and it is "imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them".

As part of its probe, the ICO discovered that just 2 per cent of the 6,500 workers at HAL had been trained in data protection. The ICO also noted "widespread" use of removable storage media that flouted HAL's internal policies and guidance, and sloppy controls over preventing staff downloading personal data onto unauthorised or unencrypted media.

The ICO said that, after being alerted to the embarrassing breach, HAL undertook numerous remedial actions that ranged from informing the cops to hiring a specialist to monitor the internet and dark web, presumably for evidence that the data was being posted or sold.

The case was managed under the provisions and maximum penalties of the Data Protection Act 1998. ®
Send us news
57 Comments

Governments issue alerts after 'sophisticated' state-backed actor found exploiting flaws in Cisco security boxes

Don't get too comfortable: 'Line Dancer' malware may be targeting other vendors, too

Cisco creates architecture to improve security and sell you new switches

Hypershield detects bad behavior and automagically reconfigures networks to snuff out threats

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

While some other LLMs appear to flat-out suck

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

Japanese government rejects Yahoo<i>!</i> infosec improvement plan

Just doesn't believe it will sort out the mess that saw data leak from LINE messaging app

Indian bank’s IT is so shabby it’s been banned from opening new accounts

After two years of warnings, and outages, regulators ran out of patience with Kotak Mahindra Bank

Crooks exploit OpenMetadata holes to mine crypto – and leave a sob story for victims

'I want to buy a car. That's all'

Australia’s spies and cops want ‘accountable encryption’ - aka access to backdoors

And warn that AI is already being used by extremists to plot attacks

Ransomware feared as IT 'issues' force Octapharma Plasma to close 150+ centers

Source blames BlackSuit infection – as separately ISP Frontier confirms cyberattack

Fire in the Cisco! Networking giant's Duo MFA message logs stolen in phish attack

Also warns of brute force attacks targeting its own VPNs, Check Point, Fortinet, SonicWall and more

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

In what other sphere does a bad supplier not feel pain for its foulups?

Meta comms chief handed six-year Russian prison sentence for 'justifying terrorism'

Memo to Andy Stone: Don't go to Moscow for your holidays