This week, news broke of the Information Commissioner’s Office’s latest high-profile sanction with Heathrow Airport facing a £120,000 fine after an employee lost a memory stick containing the sensitive information of around 60 people, according to the BBC.
The penalty was handed out by the UK’s supervisory authority after the removable media device was found by a member of the public in October last year. Containing more than 1,000 files, it was not encrypted or password protected.
The contents, which reportedly contained information revealing details of security measures used to protect the Queen, the types of ID needed to access restricted areas and locations of CCTV cameras and tunnels linked to Heathrow Express, were viewed at a library by the person who found the memory stick, before being passed onto the Sunday Mirror. The national newspaper took copies before returning it to Heathrow Airport, thus alerting the security team of the breach.
Following the investigation into the event, Steve Eckersley, ICO director of investigations, said: “Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.”
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”
Given the breach occurred in October 2017, under the Data Protection Act 1998, Heathrow airport were only subject to fines of £120,000. However, under the GDPR and Data Protection Act 2018 the sanctions taken by the supervisory authority could have been far greater – as much as 4% of annual turnover or £17 million (20,000,000 euros).
While this was a seemingly isolated incident for the airport, it poses a number of lessons that can be learned for all organisations going forward…
Train Your Employees
The ICO detailed that only 2% of the airport’s 6500 employees had received training in data protection, which goes a long way to explaining the malpractice in the case of this breach.
The employee responsible for losing the memory stick was not only unaware of the risks and necessary steps to take when transferring highly sensitive information via a removable device, he/she did not identify an incident and act to report the loss of data once it had occurred.
While policy and procedure provide the framework for a successful Privacy Management System, training and cultural awareness is vital to ensure data protection principles are understood, embedded and ultimately enforced. Under the GDPR (Article 39), there is a requirement for all organisations to appropriately train their staff.
Not only does employee training reduce the likelihood of breaches, it also demonstrates accountability. For example; if your organisation experiences a data breach and has documented all staff training that has been carried out, this would be used as evidence to prove that you have taken steps to prevent a data breach and are taking the regulation seriously.
It is not necessary for all staff to have a detailed level of knowledge when it comes to the legislation, but everyone should have an awareness of GDPR and the issues posed by data protection, particularly in the context of their day-to-day role. To promote this learning, training should be specific, regular and measured, to gauge employee understanding.
By using the GDPR as an opportunity to change the culture around personal data in your organisation, you will experience greater success when it comes to implementing policy and procedure.
Locking Down Removable Media
The ICO’s investigation of this breach noted the ‘widespread’ use of removable media that disregarded Heathrow Airport’s internal policies and guidance, as well as poor controls around preventing staff downloading personal data onto an unauthorised or unencrypted device. As a result, the memory stick discovered was neither encrypted nor password protected.
For the member of public who discovered the device, it was as if he/she had found a paper folder containing a treasure trove of sensitive, company confidential information lying around in plain sight, for anyone to pick up and read at their leisure.
While the extended use of portable devices has increased the efficiency and mobility of our daily work, it has at the same time, posed another significant threat to organisation’s information security. Although small, and at first glance harmless, removable media devices are a leading cause of security incidents with millions of pounds worth of losses for organisations.
The ICO compiles quarterly statistics regarding the top causes of reported data security incidents. In the last quarter reported, four of five leading causes where the ICO acted involved human error and process failure. 40% of all incidents were attributed to the loss/theft of unencrypted devices. Evidently, the need for controlling the use of devices in corporate environments has become a must to keep abreast of the latest security challenges.
Where the use of removable media is unavoidable, your organisation should limit the media types that can be used together with the users, systems and types of information that can be stored and transferred on removable media.
The secure baseline build should deny access to media drives by default and only allow access to approved devices. If feasible, all removable media should be formally issued by your organisation to individuals who will be held accountable for its secure use. Your organisation should then maintain a record of these devices and those employees with whom they reside.
In addition, removable media should be properly encrypted when used to store personal or company sensitive data. Whenever possible, AES (Advanced Encryption Standard) should be used for the encryption algorithm due to its strength and speed, while strong password requirements with complexity specifications should be enforced i.e. a minimum of nine characters or characters from a minimum of two classes etc.
Encryption software, such as BitLocker for Windows, use policy-driven, transparent encryption to prevent unauthorised access to your organisation’s information across your removable media devices. These tools prevent a user from introducing a device to the estate without the desired controls being enforced. This software can also be used to detect and react to the unauthorised use of removable media within an acceptable time frame.
While Heathrow Airport were not bound by a statutory 72 hours reporting deadline following the identification of the beach, this event does highlight the importance of having robust internal and external processes in place. These should assist all employees, contractors and authorised third parties in the event of a personal data breach.
Assuming the owner of the lost memory stick was aware of its absence, there is no evidence to suggest that he/she reported the incident through the appropriate channels within the organisation. Instead, the airport security team first became aware of the breach when they were notified by a national newspaper.
With processes and procedures in place, and an effective training and awareness strategy to support this, the employee would have known how to report the data loss, who to, and when by. However, the absence of one or more of these factors resulted in the incident going undetected. To reduce the likelihood and impact of a data breach for your organisation, it is imperative that these measures are in place.
Had Heathrow Airport been made aware of the incident, the organisation could have taken the appropriate action to contain and mitigate the event, while working to identify what information the device had contained. In this event, the containment and mitigation may have been extremely difficult, and the impact somewhat unpreventable, but the underlying lesson is vital for future incidents.
Additionally, upon realising the occurrence of a breach, Heathrow Airport were not proactive in their attempts to report to and inform the ICO. Instead, four days after becoming wise to the event, the organisation was contacted by the ICO, who had learned of the breach through the media.
Under the Data Protection Act 1998, the airport were not obligated to report the incident. However, this would not be the case following the onset of the GPDR, where certain types of data breach must be reported to the supervisory authority within 72 hours of identification.
A reportable incident is considered a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, when there is a high likelihood and severity of any risk to people’s rights and freedoms.
As part of the internal process for reporting a potential incident, your organisation should ensure roles and responsibilities are formalised for reporting a qualifying event to the supervisory authority within the statutory time periods. Failure to do so will likely lead to substantial fines and reputational damage.
All details of the Heathrow Airport data breach and the subsequent Information Commissioner’s Office investigation can be found on the ICO’s website: https://ico.org.uk/action-weve-taken/enforcement/heathrow-airport/