Heathrow fined by the ICO over USB stick data breach

Heathrow Airport has been fined £120,000 by the Information Commissioner’s Office for “serious” data protection failings. It comes after a staff member lost a USB stick last October containing “sensitive personal data”, which was later found by a member of the public.

Reports at the time claimed this included the Queen’s security and travel arrangements, although the ICO would not confirm this. Heathrow said it regretted the breach.

The Information Commissioner’s Office (ICO) said the memory stick, which contained 76 folders and more than 1,000 files, was not encrypted or password-protected.

It said only a small amount of files contained “sensitive” information, including a training video that exposed the names, dates of birth and passport numbers of 10 people. Personal data of up to 50 Heathrow aviation security personnel was also revealed.

However, a report in the Mirror newspaper at the time suggested the breach had also posed a risk to national security.

It reported a man had found the memory stick on a West London street and viewed its contents at a local library, discovering information including:

  • A timetable of patrols that was used to guard the site against suicide bombers and terror attacks
  • Routes and safeguards for Cabinet ministers and foreign dignitaries
  • The exact route the Queen took when using the airport and security measures used to protect her.

The ICO confirmed the memory stick had been passed on to an unnamed national newspaper.

However, it would not comment on the national security claims, saying that the scope of its investigation had been to look at “personal data” only.

Steve Eckersley, ICO director of investigations, said: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.”

The ICO added that only 2% of the airport’s 6,500-strong workforce had been trained in data protection. Heathrow also declined to comment on the national security claims.

However, a spokeswoman said: “Following this incident, the company took swift action and strengthened processes and policies.

“We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved.

“We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented, including the start of an extensive information security training programme which is being rolled out company-wide.”