Heathrow Airport has been fined £120,000 by the Information Commissioner’s Office (ICO) for “serious” data protection failings after one of its staff members lost a USB stick containing “sensitive personal data”.
The un-encrypted or password-protected USB stick was later found by a member of the public and was handed in to a national newspaper, It was believed to contain 76 folders and more than 1,000 files. The stick was recovered in Kilburn, west London, and was reportedly viewed in a local library before being handed to a national newspaper ten days later. The newspaper made copies of the information before returning it to Heathrow Airport, according to the ICO.
Reports at the time claimed this included the Queen’s security and travel arrangements, although the ICO would not confirm this.
Files included sensitive information, including a training video that exposed the names, dates of birth and passport numbers of staff and the personal data of up to 50 Heathrow aviation security personnel was also revealed.
“The stick held a training video containing names, dates of birth, vehicle registrations, nationality, passport numbers and expiry, roles, and mobile numbers of 10 individuals involved in a particular greeting party, and also details of between 12 and 50 (exact number unconfirmed) Heathrow aviation security personnel, ” the ICO said in its penalty notice.
“Given that Heathrow Airport is Europe’s busiest airport, where high-level security should be inherent, loss or unauthorised disclosure of personal data of staff could have presented a greater risk if found by individuals who had not handled the data responsibly,” the ICO said.
The information was captured “erroneously” during a portion of the video in which a page from an open ring binder containing the data appeared on screen.
“Given the way the data was captured and displayed, it would not be readily available or searchable, but (the information commissioner) considers that a motivated individual could locate and extract the data in a more permanent way,” the ICO said.
The ICO found that less than 2% of the airport’s staff had received data protection training.