Heathrow Airport has been fined £120,000 after a data leak reportedly revealing details about the Queen’s travel plans sparked a major investigation.
The Information Commissioner’s Office (ICO) handed out the fine after a member of the public found a USB memory stick which had been lost by a “rogue” member of Heathrow staff.
The contents, more than 1,000 files across 76 folders, were viewed at a public library in October 2017 before being handed over to the Sunday Mirror.
Heathrow Airport Limited fined £120,000 for serious failings in its data protection practices: https://t.co/lTyE1P32Ch pic.twitter.com/FkR2HPlEip
— ICO (@ICOnews) October 8, 2018
The newspaper said the USB stick, which was neither encrypted nor password protected, was discovered by a member of the public in Ilbert Street in Queen’s Park, west London.
It reportedly contained files revealing information such as security measures used to protect the Queen at Europe’s busiest airport, the types of ID needed to access restricted areas and the locations of CCTV cameras and tunnels linked to the Heathrow Express.
The ICO said it contained a training video containing personal details of 10 individuals “involved in a particular greeting party”, and the details of up to 50 Heathrow security personnel.
The breach forced the airport’s chief executive John Holland-Kaye to subsequently tell MPs security had not been compromised.
Following the fine, Steve Eckersley, ICO director of investigations, said: “Data protection should have been high on Heathrow’s agenda.
“But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”
The ICO investigation found that only 2% of the 6,500-strong workforce had been trained in data protection.
Other concerns noted during the investigation included the widespread use of removable media in contravention of Heathrow’s own policies and guidance and ineffective controls preventing personal data from being downloaded onto unauthorised or unencrypted media.
HAL carried out a number of remedial actions once it was informed of the breach including reporting the matter to the police, acting to contain the incident and engaging a third party specialist to monitor the internet and dark web.
A Heathrow spokesman said: “Following this incident the company took swift action and strengthened processes and policies.
“We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved.
“We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented including the start of an extensive, information security training programme which is being rolled out companywide.
“We take our compliance with all laws extremely seriously and operate within the stringent regulatory and legal requirements demanded of us.”
Heathrow’s own investigation into the matter indicated the data was compiled by a “rogue” employee security trainer, and had been lost during a commute to or from work.
