Heathrow must pay a £120,000 fine after an employee lost a memory stick containing dozens of staff’s personal details.
The details of up to 50 security personnel, and 10 people’s names, dates of birth and passport numbers, were exposed on the memory stick, which was found by a member of the public.
The data was not encrypted, and the person was able to view it at their local library before sharing the information with a national newspaper.
Upon investigating, UK data watchdog the Information Commissioner’s Office (ICO) found that just two per cent of Heathrow’s 6,500-strong workforce had had data protection training.
Steve Eckersley, head of investigations at the ICO, said: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”
The watchdog also criticised Heathrow’s “widespread” use of memory sticks, saying the practice contravened the airport’s own policies and guidance.
A spokesperson for the airport said it had taken swift action to strengthen processes following the breach.
“We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved,” they added.
“We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented including the start of an extensive, information security training programme which is being rolled out company-wide.”
“We take our compliance with all laws extremely seriously and operate within the stringent regulatory and legal requirements demanded of us.”