As reported by several media outlets, the UK’sInformation Commissioner’s Office (ICO) has fined London Heathrow Airport £120,000.
According to the senior official, an airport employee lost a USB flash drive containing confidential information. Among the more than 1,000 files saved were:
- Personal data such as names, dates of birth and passport numbers of ten people from a training video
- Personnel data of up to 50 security employees
It was also reported that the USB stick also contained travel data of the British Queen, although this information was not confirmed by the British data protection authority ICO.
The lost data carrier was found by a British citizen and, after being examined, was handed over to a newspaper. That’s how the ball started rolling.
So why was this high penalty imposed? The loss of a USB stick by an employee cannot be prevented even by the best technical and organizational measures. However, the GDPR requires a level of protection at the “state of the art”. This wording is not exact and changes continuously as time goes by. For the current period, encryption of removable data carriers, such as USB sticks, external hard drives, etc., is certainly necessary. However, the airport’s storage medium was not equipped with encryption or access protection. This deficiency in the GDPR implementation made it possible for unauthorized persons to access the USB stick.
If, on the other hand, the data medium had been encrypted, then access would only have been possible with the specified password. The finder of the USB stick could only have deleted the data, but access would have been impossible.
Due to the lack of encryption, the data protection authority has taken action because it is a violation of UK data protection regulations.
The data protection violation was reported by the airport to the data protection authority. Such notification must be made within 72 hours of the incident becoming known, according to the GDPR.
During the course of the DPA’s investigation, it was found that only about 2% of Heathrow employees had received training in data privacy. In addition, copying data to unprotected USB sticks was a widespread practice at the airport, even though this process was prohibited by policy. According to the data protection authority, this practice could have been prevented through data protection training.
To ensure that data protection is not just a topic at board meetings, appropriate guidelines and training are essential to ensure that the personal data of employees and customers is optimally protected.
Internet monitoring was operated by Heathrow Airport during the investigation. This involved an active search for the lost data to check whether it had been published on the Internet or Darkweb.
The UK Data Protection Authority set the penalty at £120,000. The old Data Protection Act, which provided for a maximum fine of £500,000 and is thus significantly lower than the maximum fine under the GDPR, was used as a measurement. This amounts to £17,000,000 (€20,000,000) or 4% of worldwide annual sales. The airport announced to accept the penalty.
Heathrow Airport’s data breach could have been easily prevented. Encryption of data carriers would have prevented unauthorized access to personal data. Instead, it was found that the company-wide policy on data protection was not being complied with by employees, or was being complied with only in part. It turns out that it is not enough to develop policies on data protection, you also need to monitor their enforcement.
The airport got away with a small fine in this case. With a turnover of around £4 billion, the fine was only £120,000, a mere 0.00003% of annual turnover. The fact that the data breach was reported in due time and that monitoring was carried out to check whether the lost data had been published by third parties was certainly a mitigating factor.