Heathrow’s dangerous data breach

Heathrow Data BreachYou may not have heard about this, as it emerged on Sunday. There was a data breach relating to Heathrow Airport. A fully accessible USB memory stick was found on a London street. This memory stick had some 2.5 Gigabytes of data on it, in 174 documents. All of the documents were readable. Some were marked confidential.



The following was the type of data on the memory stick:

  • Routes through the airport and security measures for royalty and VIPs
  • Security patrol timing
  • Locations of CCTV cameras
  • Types of ID card required for different areas
  • Escape routes for the Heathrow Express railway line
  • Details of the ultrasound detection system that protects the perimeter fence

Just like the Swedish Government’s data breach (the third story in this post), this sort of information, falling into the wrong hands is incredibly dangerous and could have cost people their lives. I don’t say this to be hyperbolic. If a terrorist organisation got their hands on this data, they could have planned a highly effective attack on Heathrow.

It is plain madness that it was possible for the information to be placed onto the USB memory stick in the first place. For an organisation that has to consider likely terrorist threats, they should have the strictest information security measures in place. There are easily implemented technical solutions to prevent use of unauthorised USB devices. These solutions can also be set to automatically encrypt any information that is stored on authorised USB devices.

Heathrow Airport authorities are obviously investigating this incident. Perhaps they do have these type of solutions in place and that it might emerge that it was an external contractor what done it. Sometimes when external contractors are brought in to do specific pieces of work, their laptops might not have the same security measures applied as would be the case for an employee. In scenarios where you are dealing with the security of people’s lives, you need to have the strictest policies and procedures applied to all who work on it.

As a final comment, the person who found the USB memory stick on the street was wise enough to plug it into a computer in a library rather than their own home PC or Laptop. Maybe they had read Commandment 9 and didn’t want to risk potentially infecting their personal equipment. ?