Like so many stories of data disaster, this one started innocently enough.
In October 2017, a member of the public noticed a USB flash drive lying in the street in a London suburb.
After plugging the drive into a computer at their local public library, they discovered it contained 1,000 files held in 76 folders and a trove of data on security systems and procedures at one of the world’s largest airports, Heathrow.
Because we’re writing about this in the first place, you can already guess that none of the data was encrypted or password-protected.
The member of the public decided to tell The Sunday Mirror newspaper about the find, which days later published a story claiming the loss could potentially have compromised airport security, including putting Queen Elizabeth II, politicians and VIPs at risk.
Yesterday, the company with the job of looking after the data, Heathrow Airport Ltd (HAL), was fined £120,000 ($160,000) by the UK Information Commissioner’s Office (ICO) for allowing this to happen.
What was on the drive?
Heathrow Airport claimed that only 1% of the data on the memory stick was personal data, which would have been a good argument if that hadn’t included a training video exposing names, dates of birth, vehicle registrations, passport details, and mobile numbers for 10 people involved in important security procedures at the airport.
It also contained information on between 12 and 50 personnel involved in security, including their names and job titles. This, it turned out, was visible in the video, printed on some ring-binder pages that someone carelessly filmed.
The newspaper said the stick contained other security data including patrol timetables, routes taken through the airport by British Cabinet ministers and foreign dignitaries, and security measures to protect the Queen.
What went wrong
Many staff were using USB sticks, including their own, despite Heathrow having no “adequate technical controls” to stop them saving unencrypted data to them. Barely any had received training about the security risks of using USB sticks.
Heathrow Airport seems to have been in denial that anyone might save data to drives or, if they did, would fail to secure them properly. It was as if USB sticks with gigabytes of capacity had never been invented.
The only reason Heathrow Airport has had to acknowledge problems at all is because an employee dropped one on his or her way to work, which was picked up by a member of the public and sent to a newspaper. Arguably, then, the incident was a stroke of luck given the possibility that data might eventually fall into the wrong hands through carelessness.
The airport has admitted it has no idea what other data might have been copied on to USB sticks in the past.
Perhaps now they will take steps to make USB disks less of a data breach risk, for example by limiting the range of USB hardware drives that are allowed; vetting what gets copied onto them; and encrypting any sensitive data that genuinely needs to be backed up onto removable devices.