Information Commissioner Office recently fined Heathrow Airport Limited (HAL) with £120,000 ($1,56,548) for failing to secure the sensitive information about the airport staff. The penalty comes after a Heathrow Airport employee lost his USB stick that contained confidential information, but was not password protected. The stick was later found by an outsider who viewed the content at a local library.
According to the ICO’s statement, a member of the public found the USB device on October 16, 2017. The device contained over 76 folders and 1,000 files. The sensitive data included a training video that had details like names, dates of birth, and passport numbers of HAL employees. ICO claimed that the stick was given to a newspaper authority before giving it back to HAL authorities.
“Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalog of shortcomings in corporate standards, training, and vision that indicated otherwise,” said ICO Director of Investigations, Steve Eckersley. “Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures, and training in place to minimize any vulnerabilities of the personal information that has been entrusted to them.”
According to the ICO investigation report, only two percent of the 6,500 HAL workforce had been trained in data protection awareness. It also noted that the airlines violated its own norms by using removable media and failed to prevent personal data from being downloaded onto unauthorized sources.
Speaking on the charges, a spokeswoman from HAL said, “We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved. We recognize that this should never have happened and would like to reassure everyone that necessary changes have been implemented, including the start of an extensive information security training programme which is being rolled out company-wide.”