Heathrow Airport escapes hefty GDPR fine; gets only £120,000 (under 1998 DPA) for 2017 privacy breach incident

The UK Information Commissioner’s Office has fined Heathrow Airport Limited (HAL) £120,000 for failing to ensure that the personal data on its network was properly secured.

The circumstances that led to the fine circulated widely in the media in October of last year, when the mishap (to put it lightly) occurred. The (long) story (short) went like this: a HAL employee lost a USB drive containing 2.5GB of highly sensitive information; a person found the drive and viewed its contents at a public library, then passed it to a national newspaper which copied the data before giving the stick back to HAL.

The drive, containing 76 folders and over 1,000 files, was not encrypted or password protected.

“Although the amount of personal and sensitive personal data held on the stick comprised a small amount of the total files, of particular concern was a training video which exposed ten individuals’ details including names, dates of birth, passport numbers, and the details of up to 50 HAL aviation security personnel,” the ICO said.

However, when The Mirror caught wind of the blunder, the paper said the contents of the USB drive were far more sensitive than the ICO notes in its press release. The contents reportedly also included:

  • The exact route the Queen takes when using the airport, and security measures used to protect her.
  • Files disclosing every type of ID needed – even those used by covert cops – to access restricted areas.
  • A timetable of patrols used to guard the site against suicide bombers and terror attacks.
  • Maps pinpointing CCTV cameras and a network of tunnels and escape shafts linked to the Heathrow Express.
  • Routes and safeguards for Cabinet ministers and foreign dignitaries.
  • Details of the ultrasound radar system used to scan runways and the perimeter fence.

The ICO’s focus on only a fraction of the compromised data is due to its personal nature. It’s that set of personal details that the 1998 Data Protection Act (DPA) seeks to protect (as does the GDPR, more recently).

“The case was dealt with under the provisions and maximum penalties of the Data Protection Act 1998, and not the 2018 Act which has replaced it, because of the date of the breach,” the ICO noted.

Of note, HAL’s penalty would have likely been much higher under the newer General Data Protection Regulation (had the breach occurred after it took effect May 25), which deals fines of up to 20 million euros’ worth, or 4% of the company’s annual turnover, whichever is higher.

ICO Director of Investigations, Steve Eckersley had this to say about the body’s decision to fine HAL:

“Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise. Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”

During its investigation, the ICO also found that only a scant 2% of the 6,500 staff employed by HAL had been trained in data protection. Furthermore, the ICO condemned the widespread use of removable media, which violates the airport’s own policies. It also identified what it called “ineffective controls preventing personal data from being downloaded onto unauthorised or unencrypted media.”

To its credit, the airport quickly took action after it caught word of the breach. This included reporting the matter to police, acting to contain the incident and engaging a third-party specialist to monitor the internet and dark web for any leaks, the ICO said.