Sophos Cloud Optix
Like so many stories of data disaster, this one started innocently enough.
In October 2017, a member of the public noticed a USB flash drive lying in the street in a London suburb.
After plugging the drive into a computer at their local public library, they discovered it contained 1,000 files held in 76 folders and a trove of data on security systems and procedures at one of the world’s largest airports, Heathrow.
Because we’re writing about this in the first place, you can already guess that none of the data was encrypted or password-protected.
The member of the public decided to tell The Sunday Mirror newspaper about the find, which days later published a story claiming the loss could potentially have compromised airport security, including putting Queen Elizabeth II, politicians and VIPs at risk.
Yesterday, the company with the job of looking after the data, Heathrow Airport Ltd (HAL), was fined £120,000 ($160,000) by the UK Information Commissioner’s Office (ICO) for allowing this to happen.
What was on the drive?
Heathrow Airport claimed that only 1% of the data on the memory stick was personal data, which would have been a good argument if that hadn’t included a training video exposing names, dates of birth, vehicle registrations, passport details, and mobile numbers for 10 people involved in important security procedures at the airport.
It also contained information on between 12 and 50 personnel involved in security, including their names and job titles. This, it turned out, was visible in the video, printed on some ring-binder pages that someone carelessly filmed.
The newspaper said the stick contained other security data including patrol timetables, routes taken through the airport by British Cabinet ministers and foreign dignitaries, and security measures to protect the Queen.
What went wrong
Many staff were using USB sticks, including their own, despite Heathrow having no “adequate technical controls” to stop them saving unencrypted data to them. Barely any had received training about the security risks of using USB sticks.
Heathrow Airport seems to have been in denial that anyone might save data to drives or, if they did, would fail to secure them properly. It was as if USB sticks with gigabytes of capacity had never been invented.
The only reason Heathrow Airport has had to acknowledge problems at all is because an employee dropped one on his or her way to work, which was picked up by a member of the public and sent to a newspaper. Arguably, then, the incident was a stroke of luck given the possibility that data might eventually fall into the wrong hands through carelessness.
The airport has admitted it has no idea what other data might have been copied on to USB sticks in the past.
Perhaps now they will take steps to make USB disks less of a data breach risk, for example by limiting the range of USB hardware drives that are allowed; vetting what gets copied onto them; and encrypting any sensitive data that genuinely needs to be backed up onto removable devices.
“plugging the drive into a computer at their local public library” Why is that allowed at all?
Not everyone has a laptop or can afford one, or feels confident enough to go online entirely on their own – even though loads of public services are essentially impossible to access without using a computer these days. (Try applying for or renewing a visa to live in the UK without a computer, for instance.)
Public libraries provide a vital bridge between these people and the parts of their life that assume they are online. Why shouldn’t they carry around a USB drive and be allowed to use it? If we expect them to go online, why shouldn’t we also expect them to bother with backups?
Or perhaps they knew exactly what they were doing using the library’s system as their own private sandbox!
Indeed – I’m not suggesting that the person who plugged in the USB key in this case chose a library out of necessity… just answering the OP’s question about why libraries might leave USB ports open for visitors to use, even though it seems like a mighty big risk.
Worlds most expensive …. I dunno, that USB with stuxnet on it must have cost a pretty penny or million in broken centrifuges ….
“Arguably, then, the incident was a stroke of luck given the possibility that data might eventually fall into the wrong hands through carelessness.”
There’s actually no assurance that it didn’t fall into the wrong hands — it could have been accessed/copied, then dropped back on the street. Seems unlikely, but can’t be ruled out.
In the case of this USB stick (and all previous ones that might also have been lost), that’s correct. However, the incident led to Heathrow Airport revising the way it handles these devices, which reduces the likelihood of a repeat incident.
160.000 USD? *Muahahahahahahaahahaaaaaaaa*
Dr Evil I presume?