Losing a USB stick cost Heathrow Airport $157,000

London Heathrow Airport slapped with fine after employee lost USB drive with confidential files
10 October 2018

Healthrow executives lost a valuable pen drive, but the question is — why store the data on a pen drive? (Image for representative purposes only) Source: Shutterstock

London’s Heathrow Airport has been slapped with a fine of GBP120,000 (about US$157,000) over a lost USB drive.

Although the memory stick has since been retrieved, regulators were not going to let slide the fact that a data breach occurred because an employee lost the drive containing thousands of confidential files last October.

It was said that the storage device contained the names, dates of birth, passport numbers, and other details relating to individuals and aviation security staff, according to a statement released by the UK Information Commissioner’s Office (ICO).

The device was found by a member of the public on a West London street who viewed the contents at a local library before passing it on to the press. The files were not encrypted, or password protected.

After the unnamed national newspaper took a copy of the information, the USB was returned to the airport.

“Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalog of shortcomings in corporate standards, training, and vision that indicated otherwise,” said ICO Director of Investigations, Steve Eckersley.

During investigations, the ICO found that only two percent of Heathrow’s 6,500-strong workforce had been trained in data protection.

Additionally, the ICO expressed concerns over the “widespread use of removable media” in the airport, which is an infringement of the airport’s own policies and guidance

The regulator also noted that the airport had “ineffective controls” to prevent personal data from being downloaded onto unauthorized or unencrypted media

“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures, and training in place to minimize any vulnerabilities of the personal information that has been entrusted to them,” Eckersley added.

Since the breach, Heathrow Airport has taken action to monitor the internet and the dark web for any potential data leaks online caused by the breach.

Although the UK is currently bound by the EU’s General Data Protection Regulation (GDPR), the incident falls under the remit of the older Data Protection Act 1998, as the breach occurred before May 25, 2018.

The previous data protection laws permit a maximum fine of GBP500,000 (US$657,000). Under GDPR, regulators can issue penalties of up to EUR20 million (US$23 million approx) or four percent of turnover, whichever is greater.

Heathrow is lucky to have avoided higher fines this time around. If the breach happened any later, the airport will be facing much heftier fines.