Companies are being warned to ensure that data protection is given the highest priority in the boardroom following a catalogue of failures uncovered in an investigation into Heathrow Airport, including the fact that just 2% of staff had received data protection training.
The move follows an Information Commissioner’s Office investigation into a major data breach at the airport triggered when a member of the public found a USB memory stick, which had been lost by a Heathrow employee. The stick, which contained 76 folders and over 1,000 files was neither encrypted nor password protected.
The member of the public viewed the material it contained at a local library. The stick was then passed to a national newspaper which took copies of the data before giving the stick back to Heathrow.
The information reportedly included routes and timings of airport security patrols, ID required to access restricted areas, maps of CCTV cameras and even the Queen’s exact route used each time she travelled there.
It also contained a training video which exposed ten individuals’ details including names, dates of birth, passport numbers, and the details of up to 50 Heathrow aviation security personnel.
The ICO investigation found that only 2% of the 6,500-strong workforce had been trained in data protection. The investigation also revealed the widespread use of removable media in contravention of Heathrow’s own policies and guidance and ineffective controls preventing personal data from being downloaded onto unauthorised or unencrypted media.
The company has been fined £120,000 and ICO director of investigations Steve Eckersley said: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”
Heathrow carried out a number of remedial actions once it was informed of the breach including reporting the matter to the police, acting to contain the incident and engaging a third party specialist to monitor the Internet and dark web.