That's a surprisingly tame fine. I would've expected a couple more zeroes.
Think of the money saved by not training 6370 staff in data protection and not having any kind of enforcement of policies.
The minimum wage in the UK is now £7.83 per hour. Assuming it was £7.50 at the time, and that data protection training takes a couple of hours with no other costs, then that's about £95,000. Add in admin, national insurance, mandatory pensions and such and it's got to be about break even in a year. That's before we factor in staff turnover.
Under the Data Protection Act 1998, there were cases where it clearly paid to deliberately not comply.
Will a data breach make people choose to shop elsewhere? People already go out of their way to avoid Heathrow if they can, so any reputation loss is negligible.
When you're looking at big business? Nah. They're not threatened by it: if the fine is too high the law doesn't get passed or it loses its teeth, because it's still cheaper to lobby for leniency. So you get a maximum threshold for a fine that is still pathetic and even further is likely never to be used. If that doesn't work, the business is big enough to threaten the government in power with an even greater loss by opting to dodge tax or shift operations elsewhere. Most of this legislation can be hacked through maths and clever accounting, or ultimately you just pay the workers less and increase the prices.
Most businesses exist to make as much money as they can and you'd think that it would make it their most vulnerable spot, so you can hit them where it hurts. But it doesn't play out that way.
It's essentially a monumental legal cop-out because there's no use holding the corporate entity itself accountable, because the corporate entity is pumping out money to the board no matter what. And we even recognise it as such by referring to such companies as having limited liability. Somehow the owner of a small business can lose their house and car if they fuck it all up, yet those in charge of a much larger company have an incredibly cushy layer of protection when they can deal infinitely greater damage when they put money above all else, sometimes malevolently so. Surely those liabilities should be reversed and the small shop should benefit from the protection from fucking up?
But I agree, £120k seems low.
£500k is essentially how much it would cost each year to hire a team to fix these issues and maintain their systems.
If £120k is the punishment, what's the point in fixing the issue? It's more cost effective to accept the risk of a major security breach and the resignations of a handful of top brass.
Note that the security stuff makes nice headlines and is concerning, but isn't responsibility of ICO, so likely played no role in their fine.
This inevitably leads to people using inappropriate mechansism like USB sticks, personal cloud sharing etc to get their jobs done.
Or maybe one day data transfer will be like money wire transfers. Fill out some paperwork, pay $30, you’ll get your data on the other end...
All data will be owned and custodied by government and data banks. One problem is data is much less fungible than money.
Ooh, did they sign up for their Free Dark Web Scan?
I think this is significant especially in an environment where GDPR non-compliance can penalize American companies for millions/billions. I would say compromising the identity of security personnel that could be exploited for a physical attack should deemed even more harmful and fined at a higher rate.
It's probably a couple of junior security researchers.
But your point is still valid.
Just entertaining myself here by speculating, but could it have been possible that someone attempted to steal this information from the airport with malicious intent and lost it?
More specifically, we know that people use USB sticks to transfer data, even across "secure" air-gapped systems. (Eg, Stuxnet.) Some organizations will even fill USB slots with glue to prevent this sort of use.
By comparison, the rate of espionage/information theft through physical access to the data is much lower.
Since you posit a rare occurrence - information theft - followed by an even more rare scenario - losing the information - I can easily conclude that it's very unlikely.
That's why I have trouble believing this story really happened. Simpler explanation would be that money simply changed hands for reasons unknown (bribes, etc.)
And you think The Sunday Mirror lied to the Information Commissioner’s Office about the data provenance? That is, lied that it was found by a member of the public in Kilburn, and/or lied that it was viewed by that same member of the public on a public library computer before handing it over to The Sunday Mirror?
I don't. I don't see why you do. I don't see why we should regard your interpretation as "simpler".
Especially when (according to the linked-to report), Heathrow Airport Limited's own investigation could figured out who lost the stick, concluded that the USB stick was likely lost during commute-time transit, and showed that there were serious information security problems at Heathrow, with 'limited data protecting training in place' and no technical methods in place to keep data from being transferred to unencrypted or unauthorized sticks?
The report disagrees with your doubt, saying "The Commissioner has made the above findings of fact on the balance of probabilities."
How do you end up with a different balance? What scenario are you thinking of?