Skip to content

London Heathrow Fined $160,000 for Lost USB Drive

Oct. 09, 2018
2 min read
London Heathrow Terminal
London Heathrow Fined $160,000 for Lost USB Drive
This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.
Sign up for our daily newsletter

London Heathrow airport has been fined $160,000 for losing a USB memory drive containing highly sensitive information last October.

The USB memory stick had been found on a London street October 17 by a passerby, who then viewed the contents on a computer at the local library before passing along the flash drive to the UK newspaper the Sunday Mirror. Heathrow, however, did not report the lost device until October 26, and the first media report about the data breach was published on October 29. Heathrow submitted a formal breach notification on November 7 to the Information Commissioner's Office, the UK privacy watchdog which handed down the ruling and fine.

None of the highly sensitive data was either password-protected or encrypted, according to the Information Commissioner's Office. The data on the drive included "the exact route the Queen takes when using the airport and security measures used to protect her" as well as a timetable of airport patrols. The memory stick had been lost by a Heathrow security trainer.

"Data protection should have been high on Heathrow's agenda. But our investigation found a catalog of shortcomings in corporate standards, training and vision that indicated otherwise," says Steve Eckersley, ICO director of investigations. "Data protection is a boardroom issue, and it is imperative that businesses have the policies, procedures and training in place to minimize any vulnerabilities of the personal information that has been entrusted to them."

The Information Commissioner's Office charged the airport under the Data Protection Act 1998, which was in effect at the time of the breach and which allowed for a maximum fine of $657,000.

"Following this incident, the company took swift action and strengthened processes and policies," a Heathrow spokeswoman said. "We accept the fine that the ICO have deemed appropriate, and we have spoken to all individuals involved. We recognize that this should never have happened and would like to reassure everyone that necessary changes have been implemented, including the start of an extensive information security training program, which is being rolled out companywide. We take our compliance with all laws extremely seriously and operate within the stringent regulatory and legal requirements demanded of us."

Heathrow is the largest airport in London, ands is part of the world's busiest airport system, handling more than 2.5 million flights a year.

Featured image by Getty Images