[BreachExchange] Airport fined after data leak `showed Queen´s travel plans´

Destry Winant destry at riskbasedsecurity.com
Mon Oct 8 20:58:42 EDT 2018


Heathrow Airport has been fined £120,000 after a data leak reportedly
revealing details about the Queen’s travel plans sparked a major

The Information Commissioner’s Office (ICO) handed out the fine after
a member of the public found a USB memory stick which had been lost by
a “rogue” member of Heathrow staff.

The contents, more than 1,000 files across 76 folders, were viewed at
a public library in October 2017 before being handed over to the
Sunday Mirror.

Heathrow Airport Limited fined £120,000 for serious failings in its
data protection practices: https://t.co/lTyE1P32Ch

— ICO (@ICOnews) October 8, 2018

The newspaper said the USB stick, which was neither encrypted nor
password protected, was discovered by a member of the public in Ilbert
Street in Queen’s Park, west London.

It reportedly contained files revealing information such as security
measures used to protect the Queen at Europe’s busiest airport, the
types of ID needed to access restricted areas and the locations of
CCTV cameras and tunnels linked to the Heathrow Express.

The ICO said it contained a training video containing personal details
of 10 individuals “involved in a particular greeting party”, and the
details of up to 50 Heathrow security personnel.

The breach forced the airport’s chief executive John Holland-Kaye to
subsequently tell MPs security had not been compromised.

Following the fine, Steve Eckersley, ICO director of investigations,
said: “Data protection should have been high on Heathrow’s agenda.

“But our investigation found a catalogue of shortcomings in corporate
standards, training and vision that indicated otherwise.

“Data protection is a boardroom issue and it is imperative that
businesses have the policies, procedures and training in place to
minimise any vulnerabilities of the personal information that has been
entrusted to them.”

The ICO investigation found that only 2% of the 6,500-strong workforce
had been trained in data protection.

Other concerns noted during the investigation included the widespread
use of removable media in contravention of Heathrow’s own policies and
guidance and ineffective controls preventing personal data from being
downloaded onto unauthorised or unencrypted media.

HAL carried out a number of remedial actions once it was informed of
the breach including reporting the matter to the police, acting to
contain the incident and engaging a third party specialist to monitor
the internet and dark web.

A Heathrow spokesman said: “Following this incident the company took
swift action and strengthened processes and policies.

“We accept the fine that the ICO have deemed appropriate and spoken to
all individuals involved.

“We recognise that this should never have happened and would like to
reassure everyone that necessary changes have been implemented
including the start of an extensive, information security training
programme which is being rolled out companywide.

“We take our compliance with all laws extremely seriously and operate
within the stringent regulatory and legal requirements demanded of

Heathrow’s own investigation into the matter indicated the data was
compiled by a “rogue” employee security trainer, and had been lost
during a commute to or from work.

More information about the BreachExchange mailing list