The Information Commissioner’s Office (ICO) issued a fine of £120,000 to Heathrow Airport Limited (HAL) following a data security incident that occurred in 2017.
On 8 October, ICO announced the penalty under section 55A of the 1998 Data Protection Act (DPA).
Under that piece of legislation, the ICO is empowered to penalize violators with fines not exceeding £500,000. The non-departmental public body has issued the maximum penalty before; it did so with Equifax for an incident in which digital attackers compromised the sensitive personal information of nearly 150 million Americans along with the data of 15 million UK citizens.
In the case of HAL, ICO cited HAL’s failure to uphold the Seventh Data Protection Principle under the DPA, which mandates that organizations take measures to help protect the unauthorized processing, loss or destruction of personal data. ICO specifically found that the Airport didn’t have appropriate technical controls in place to prevent individuals from downloading personal data onto unencrypted media like USB drives. The government body said this oversight made it possible for an employee to store 2.5GB of HAL’s data, including 76 folders and over 1,000 files, on a USB without encryption or password protection. This employee then lost the device, but someone eventually found it in October 2017 on Ilbert Street in Queen’s Park, West London.
Additionally, the Information Commissioner’s Office found that HAL lacked documented processes for determining which employees should receive data protection training or for monitoring uptake.
Upon learning of the incident, HAL reported the incident to the police and worked with a third-party specialist to contain the incident.
ICO Director of Investigations Steve Eckersley said HAL’s penalty reflects the reality of data protection for organizations today:
Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise. Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.
Based on the data of the breach, the Information Commissioner’s Office investigated the incident under the 1988 DPA and not the 2018 Act, which replaced it.