Heathrow Airport Fined Over Data Breach Involving a Misplaced USB Drive


Last October, a Heathrow employee lost a USB stick containing 76 folders and more than 1,000 confidential files, including the names, dates of birth, passport numbers and other personal information related to aviation security staff.

The USB stick was found by a member of the public, who after rummaging through the USB at a public library handed over the USB stick to the press who made a copy and returned it to the airport. The information on the USB drive was neither encrypted nor protected.  Only a small amount of files contained “sensitive” information, including a training video that exposed the names, dates of birth and passport numbers of 10 people. Personal data of up to 50 Heathrow aviation security personnel was also revealed.

Unconfirmed reports at the time claimed this included the Queen’s security and travel arrangements.  Heathrow said it regretted the breach.

On Monday, the UK Information Commissioner’s Office (ICO) said that Heathrow Airport has to pay a fine of £120,000 (about $158,173) for allowing the security incident to take place and for failing to ensure that the “personal data held on its network was properly secured.”

Mike McCandless, an executive from Apricorn, a leading encryption storage company based in California said of the incident, “Though USB storage devices are an integral part of many IT workflows and improve employee productivity, data security has to be addressed to avoid embarrassing, costly incidences like this. Requiring data encryption on USB devices would have made this incident a non-issue. GDPR has and will continue to bring needed visibility to data security and motivate companies to deploy affordable technologies like data encryption and port control to avoid being in the news for all the wrong reasons.”

By Steven Bowcut, CPP, PSP, Brilliance Security Magazine Editor-in-Chief