
Heathrow Airport fined £120K for serious failings in data protection practices - bauc
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/10/heathrow-airport-limited-fined-120-000-for-serious-failings-in-its-data-protection-practices/
======
SenHeng
> The member of the public decided to tell The Sunday Mirror newspaper about
> the find, which days later published a story claiming the loss could
> potentially have compromised airport security, including putting Queen
> Elizabeth II, politicians and VIPs at risk. > Yesterday, the company with
> the job of looking after the data, Heathrow Airport Ltd (HAL), was fined
> £120,000 ($160,000) by Britain’s Information Commissioner (ICO) for allowing
> this to happen.

That's a surprisingly tame fine. I would've expected a couple more zeroes.

~~~
pdpi
Put into perspective — £120k isn't enough to hire two full-time people to work
on this sort of problem, so why would they?

~~~
rangibaby
See: the infamous Pinto memo

------
raesene9
This is, unfortunately, not really a surprise. There are a lot of companies
who, instead of analyzing what data sharing facilities their staff need, then
procuring appropriate services to meet those needs, take the approach of
"pretending the problem isn't really there"

This inevitably leads to people using inappropriate mechansism like USB
sticks, personal cloud sharing etc to get their jobs done.

~~~
NikolaeVarius
At the same time, the lack of even basic protections is alarming. Don't need
software controls to lock out USB drives, when there is superglue in the
ports.

~~~
pjc50
A big hassle in a world of USB keyboards and mice.

~~~
NikolaeVarius
In my experience, the usb ports for those were locked down by the manufacturer
and would be pretty hard to get at unless you were somewhat determined. The
point being that, in this scenario, it (probably) wasn't some hostile agent
that exfiltrated this data, but a unknowing employee

------
excalibur
> HAL carried out a number of remedial actions once it was informed of the
> breach including reporting the matter to the police, acting to contain the
> incident and engaging a third party specialist to monitor the internet and
> dark web.

Ooh, did they sign up for their Free Dark Web Scan?

------
fspacef
> exposed ten individuals’ details including names, dates of birth, passport
> numbers, and the details of up to 50 HAL aviation security personnel

I think this is significant especially in an environment where GDPR non-
compliance can penalize American companies for millions/billions. I would say
compromising the identity of security personnel that could be exploited for a
physical attack should deemed even more harmful and fined at a higher rate.

~~~
mattnewton
As is, this fine probably doesn’t cover the salary of a junior security
researcher for one year to discover vulnerabilities and enforce best practices
that could have prevented things like this. The message seems to be don’t
bother actually securing your systems if you are a European outfit.

~~~
tomfanning
£60k is a relatively decent IT salary in the UK.

It's probably a couple of junior security researchers.

But your point is still valid.

~~~
pbhjpbhj
£60k gross salary for an employee might come at a £100k cost for the company
when you add in NICs, pensions, HR costs, training, provision of equipment and
office space.

------
dsamarin
> Heathrow Airport seems to have been in denial that anyone might save data to
> drives or, if they did, would fail to secure them properly.

Just entertaining myself here by speculating, but could it have been possible
that someone attempted to steal this information from the airport with
malicious intent and lost it?

~~~
eesmith
The odds would be extremely low, and would fall into Schneier's 'movie plot
threat' category,
[https://en.wikipedia.org/wiki/Bruce_Schneier#Movie_plot_thre...](https://en.wikipedia.org/wiki/Bruce_Schneier#Movie_plot_threat)

More specifically, we know that people use USB sticks to transfer data, even
across "secure" air-gapped systems. (Eg, Stuxnet.) Some organizations will
even fill USB slots with glue to prevent this sort of use.

By comparison, the rate of espionage/information theft through physical access
to the data is much lower.

Since you posit a rare occurrence - information theft - followed by an even
more rare scenario - losing the information - I can easily conclude that it's
very unlikely.

~~~
practice9
> The odds would be extremely low

That's why I have trouble believing this story really happened. Simpler
explanation would be that money simply changed hands for reasons unknown
(bribes, etc.)

~~~
eesmith
You think it's easier to believe that The Sunday Mirror paid someone at
Heathrow to deliver a USB stick than it is to believe that lots of people at
Heathrow are using USB sticks and one of them dropped it?

And you think The Sunday Mirror lied to the Information Commissioner’s Office
about the data provenance? That is, lied that it was found by a member of the
public in Kilburn, and/or lied that it was viewed by that same member of the
public on a public library computer before handing it over to The Sunday
Mirror?

I don't. I don't see why you do. I don't see why we should regard your
interpretation as "simpler".

Especially when (according to the linked-to report), Heathrow Airport
Limited's own investigation could figured out who lost the stick, concluded
that the USB stick was likely lost during commute-time transit, and showed
that there were serious information security problems at Heathrow, with
'limited data protecting training in place' and no technical methods in place
to keep data from being transferred to unencrypted or unauthorized sticks?

The report disagrees with your doubt, saying "The Commissioner has made the
above findings of fact on the balance of probabilities."

How do you end up with a different balance? What scenario are you thinking of?

------
sbradford26
My company has a policy that if you plug that usb drive into a company
computer it will wipe it and encrypt the drive, if it is not already
encrypted. It would have made it difficult for people to read the information
once it was out, but doesn't solve the issue of someone dropping it outside.

~~~
Angostura
That's rather nifty - how is it implemented?

~~~
sbradford26
I believe it is a McAfee product.

[https://www.mcafee.com/enterprise/en-
us/products/technologie...](https://www.mcafee.com/enterprise/en-
us/products/technologies/file-removable-media-protection.html)

------
shibel
That’s like fining me $0.25 for speeding. Very deterring...

~~~
dsamarin
Fun fact: For most cars the sweet spot on the speedometer is about 40 to 60
mph, and generally, doubling your speed requires more than double the
horsepower. Speeders likely already spend more than $0.25 in gas per trip from
lost fuel efficiency. Even more when there are stop lights and other traffic.

------
jackconnor
This fine is way too low to make any kind of an impact, unless some pretty
serious threats were made along with it.

------
PanMan
it's 'only' a $160K fine. I'm fairly sure people lost more expensive USB
sticks. Eg this story, of someone having thousands of bitcoins on a (not lost
but broken) USB stick: [https://www.news.com.au/finance/money/investing/dont-
tell-my...](https://www.news.com.au/finance/money/investing/dont-tell-my-wife-
melbourne-man-cries-over-lost-bitcoins-as-price-surges-past-us10000/news-
story/bd18b6f6aa123dca017f9cc75544fd01)

------
sctb
We've updated the link from
[https://nakedsecurity.sophos.com/2018/10/10/airport-
mislays-...](https://nakedsecurity.sophos.com/2018/10/10/airport-mislays-
worlds-most-expensive-usb-stick/), which points to this.

------
daniel_iversen
This sort of data still on USB sticks?? And in 2017?? What the hell.

~~~
spydum
USB drive is not the most alarming detail. The fact that sensitive data was in
a TRAINING VIDEO.

