Last October, a member of the public found a memory stick lost by an airport employee containing “sensitive personal data”.
The memory stick contained 76 folders and more than 1,000 files without encryption or password protection.
The person who found the USB stick was able to access the material at a local library before passing it on to a national newspaper, which took copies before returning it to HAL.
A report by the Information Commissioner’s Office (ICO) on Tuesday found while the stick contained only a “small amount” of personal and sensitive personal data, it did include a training video exposing ten individuals’ names, dates of birth and passport numbers, and details of up to 50 HAL aviation security personnel.
The ICO investigation further found only 2% of HAL’s 6,500-strong workforce had been given data protection training.
Steve Eckersley, ICO director of investigations, said: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”
Other concerns noted during the investigation included the widespread use of removable media in contravention of HAL’s own policies and guidance, and ineffective controls preventing personal data from being downloaded onto unauthorised or unencrypted media.
The ICO said HAL carried out a number of remedial actions once it was informed of the breach, including reporting the matter to the police, acting to contain the incident and engaging a third party specialist to monitor the internet and dark web.
A Heathrow spokesperson said: “Following this incident the company took swift action and strengthened processes and policies.
"We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved. We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented including the start of an extensive, information security training programme which is being rolled out companywide.
“We take our compliance with all laws extremely seriously and operate within the stringent regulatory and legal requirements demanded of us.”
