Hacker News new | past | comments | ask | show | jobs | submit login
Heathrow Airport fined £120K for serious failings in data protection practices (ico.org.uk)
153 points by bauc 5 months ago | hide | past | web | favorite | 43 comments

> The member of the public decided to tell The Sunday Mirror newspaper about the find, which days later published a story claiming the loss could potentially have compromised airport security, including putting Queen Elizabeth II, politicians and VIPs at risk. > Yesterday, the company with the job of looking after the data, Heathrow Airport Ltd (HAL), was fined £120,000 ($160,000) by Britain’s Information Commissioner (ICO) for allowing this to happen.

That's a surprisingly tame fine. I would've expected a couple more zeroes.

This isn't necessarily the first time they've done this, it's the first time they've been caught.

Think of the money saved by not training 6370 staff in data protection and not having any kind of enforcement of policies.

The minimum wage in the UK is now £7.83 per hour. Assuming it was £7.50 at the time, and that data protection training takes a couple of hours with no other costs, then that's about £95,000. Add in admin, national insurance, mandatory pensions and such and it's got to be about break even in a year. That's before we factor in staff turnover.

Under the Data Protection Act 1998, there were cases where it clearly paid to deliberately not comply.

Will a data breach make people choose to shop elsewhere? People already go out of their way to avoid Heathrow if they can, so any reputation loss is negligible.

Put into perspective — £120k isn't enough to hire two full-time people to work on this sort of problem, so why would they?

See: the infamous Pinto memo

That’s precisely why the fine is too cheap.

It seems to me that using money to enforce accountability is only something that works for people for whom money is quite a bit more scarce. You know, poor people, the middle class. You can really threaten someone's livelihood that way without resorting to prison.

When you're looking at big business? Nah. They're not threatened by it: if the fine is too high the law doesn't get passed or it loses its teeth, because it's still cheaper to lobby for leniency. So you get a maximum threshold for a fine that is still pathetic and even further is likely never to be used. If that doesn't work, the business is big enough to threaten the government in power with an even greater loss by opting to dodge tax or shift operations elsewhere. Most of this legislation can be hacked through maths and clever accounting, or ultimately you just pay the workers less and increase the prices.

Most businesses exist to make as much money as they can and you'd think that it would make it their most vulnerable spot, so you can hit them where it hurts. But it doesn't play out that way.

It's essentially a monumental legal cop-out because there's no use holding the corporate entity itself accountable, because the corporate entity is pumping out money to the board no matter what. And we even recognise it as such by referring to such companies as having limited liability. Somehow the owner of a small business can lose their house and car if they fuck it all up, yet those in charge of a much larger company have an incredibly cushy layer of protection when they can deal infinitely greater damage when they put money above all else, sometimes malevolently so. Surely those liabilities should be reversed and the small shop should benefit from the protection from fucking up?

This isn't a fine, it's just the cost of not changing a security culture. Just some statistical noise on the balance sheet of a billion-pound corporation, nothing to concern oneself with if you're upper management.

The maximum fine (under legislation in force at the time of the breach) was £500,000.

But I agree, £120k seems low.

I'd say that £500k would be fair, but still fairly tame for how dangerous this breach could've been.

£500k is essentially how much it would cost each year to hire a team to fix these issues and maintain their systems.

If £120k is the punishment, what's the point in fixing the issue? It's more cost effective to accept the risk of a major security breach and the resignations of a handful of top brass.

Well the Information Commissioner has much greater scope for issuing fines now - remember that this is an old breach and any incident that happene[sd] after May 2018 is subject to the GDPR rather than the Data Protection Act 1998.

That's good, although I'm a bit wary of what will happen to GDPR after Brexit, and whether it gives the government a mandate to reduce penalties for businesses not meeting security standards.

They reported it, and didn't try to hide it, for one. It occurred as a breach of internal policies for another.


Note that the security stuff makes nice headlines and is concerning, but isn't responsibility of ICO, so likely played no role in their fine.

Agreed, the personal data leaked was limited to a screenshot from a video in which 10 or 50 people's dates of birth and passport numbers were visible. As data breaches go, that really wasn't one.

This is, unfortunately, not really a surprise. There are a lot of companies who, instead of analyzing what data sharing facilities their staff need, then procuring appropriate services to meet those needs, take the approach of "pretending the problem isn't really there"

This inevitably leads to people using inappropriate mechansism like USB sticks, personal cloud sharing etc to get their jobs done.

What we really need is non-universally compatible storage devices.

Or maybe one day data transfer will be like money wire transfers. Fill out some paperwork, pay $30, you’ll get your data on the other end...

All data will be owned and custodied by government and data banks. One problem is data is much less fungible than money.

At the same time, the lack of even basic protections is alarming. Don't need software controls to lock out USB drives, when there is superglue in the ports.

That's usually the approach taken when you let people vote on non-standard devices that: 1. Will be reused after 2. Do not have any additional protection other than simple android updates, not connected through internet though. But in that case I'd say the problem would be in the phase of delivering those devices, and after, when the results will be printed on a file on an USB that will be moved to other places. This process happened in Italy around one years ago for a referendum vote.

A big hassle in a world of USB keyboards and mice.

In my experience, the usb ports for those were locked down by the manufacturer and would be pretty hard to get at unless you were somewhat determined. The point being that, in this scenario, it (probably) wasn't some hostile agent that exfiltrated this data, but a unknowing employee

Unless you also glue the case together, this doesn't solve anything.

It solves the case of non-trained people from "accidentally" using a usb device that could open up data infiltration/exfiltration attempts

I have a mate who used to work for the bit of QinetiQ that wasn't privatized and he mentioned that his new lap top had soldered up USB ports but also had a cd burner that still worked :-)

> HAL carried out a number of remedial actions once it was informed of the breach including reporting the matter to the police, acting to contain the incident and engaging a third party specialist to monitor the internet and dark web.

Ooh, did they sign up for their Free Dark Web Scan?

> exposed ten individuals’ details including names, dates of birth, passport numbers, and the details of up to 50 HAL aviation security personnel

I think this is significant especially in an environment where GDPR non-compliance can penalize American companies for millions/billions. I would say compromising the identity of security personnel that could be exploited for a physical attack should deemed even more harmful and fined at a higher rate.

As is, this fine probably doesn’t cover the salary of a junior security researcher for one year to discover vulnerabilities and enforce best practices that could have prevented things like this. The message seems to be don’t bother actually securing your systems if you are a European outfit.

£60k is a relatively decent IT salary in the UK.

It's probably a couple of junior security researchers.

But your point is still valid.

£60k gross salary for an employee might come at a £100k cost for the company when you add in NICs, pensions, HR costs, training, provision of equipment and office space.

> Heathrow Airport seems to have been in denial that anyone might save data to drives or, if they did, would fail to secure them properly.

Just entertaining myself here by speculating, but could it have been possible that someone attempted to steal this information from the airport with malicious intent and lost it?

The odds would be extremely low, and would fall into Schneier's 'movie plot threat' category, https://en.wikipedia.org/wiki/Bruce_Schneier#Movie_plot_thre...

More specifically, we know that people use USB sticks to transfer data, even across "secure" air-gapped systems. (Eg, Stuxnet.) Some organizations will even fill USB slots with glue to prevent this sort of use.

By comparison, the rate of espionage/information theft through physical access to the data is much lower.

Since you posit a rare occurrence - information theft - followed by an even more rare scenario - losing the information - I can easily conclude that it's very unlikely.

> The odds would be extremely low

That's why I have trouble believing this story really happened. Simpler explanation would be that money simply changed hands for reasons unknown (bribes, etc.)

You think it's easier to believe that The Sunday Mirror paid someone at Heathrow to deliver a USB stick than it is to believe that lots of people at Heathrow are using USB sticks and one of them dropped it?

And you think The Sunday Mirror lied to the Information Commissioner’s Office about the data provenance? That is, lied that it was found by a member of the public in Kilburn, and/or lied that it was viewed by that same member of the public on a public library computer before handing it over to The Sunday Mirror?

I don't. I don't see why you do. I don't see why we should regard your interpretation as "simpler".

Especially when (according to the linked-to report), Heathrow Airport Limited's own investigation could figured out who lost the stick, concluded that the USB stick was likely lost during commute-time transit, and showed that there were serious information security problems at Heathrow, with 'limited data protecting training in place' and no technical methods in place to keep data from being transferred to unencrypted or unauthorized sticks?

The report disagrees with your doubt, saying "The Commissioner has made the above findings of fact on the balance of probabilities."

How do you end up with a different balance? What scenario are you thinking of?

My company has a policy that if you plug that usb drive into a company computer it will wipe it and encrypt the drive, if it is not already encrypted. It would have made it difficult for people to read the information once it was out, but doesn't solve the issue of someone dropping it outside.

That's rather nifty - how is it implemented?

My company does the same with PGP Desktop.

That’s like fining me $0.25 for speeding. Very deterring...

Fun fact: For most cars the sweet spot on the speedometer is about 40 to 60 mph, and generally, doubling your speed requires more than double the horsepower. Speeders likely already spend more than $0.25 in gas per trip from lost fuel efficiency. Even more when there are stop lights and other traffic.

This fine is way too low to make any kind of an impact, unless some pretty serious threats were made along with it.

it's 'only' a $160K fine. I'm fairly sure people lost more expensive USB sticks. Eg this story, of someone having thousands of bitcoins on a (not lost but broken) USB stick: https://www.news.com.au/finance/money/investing/dont-tell-my...

We've updated the link from https://nakedsecurity.sophos.com/2018/10/10/airport-mislays-..., which points to this.

This sort of data still on USB sticks?? And in 2017?? What the hell.

USB drive is not the most alarming detail. The fact that sensitive data was in a TRAINING VIDEO.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact