Heathrow Airport has been slapped with a £120,000 fine for failing to secure personal data after an employee lost a memory stick containing sensitive information.
The penalty was doled out by the Information Commissioner’s Office (ICO) following a probe into data that had been downloaded onto a USB stick which was found by a member of the public in October last year.
It contained more than 1,000 files but was not was not encrypted or password protected.
Those files included a training video which exposed the names, birth dates and passport numbers of 10 people, as well as the details of up to 50 Heathrow Airport aviation security staff.
The contents were viewed by a member of the public at a local library, though the stick was then passed on to a national newspaper which took copies of the data before returning it to Heathrow Airport.
The ICO’s director of investigations Steve Eckersley said: “Data Protection should have been high on Heathrow’s agenda.
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”
The ICO’s probe found that just 2% of Heathrow’s 6,500 staff were properly trained in data protection.
It also found there were inadequate controls preventing personal data being downloaded onto “unauthorised or unencrypted media”.
But once Heathrow was aware of the breach, the ICO said the airport company made sure to report the matter to police and hire specialists to monitor the internet and dark web to help “contain the incident”.
The company was fined under old rules, under which the maximum penalty is set at £500,000.
Had Heathrow Airport been penalised under the 2018 version of the Data Protection Act – which includes the General Data Protection Regulation (GDPR) provisions – it could have risked the maximum penalty of £17 million or 4% of its global revenues.
A Heathrow spokesperson said: “Following this incident the company took swift action and strengthened processes and policies.
“We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved.
“We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented including the start of an extensive, information security training programme which is being rolled out company-wide.”