Information Security Leak – The winner is… Heathrow Airport!


security breach

Information Security leakage. Is this now becoming fashionable ?

by John Filippis, Strategic Engagement Manager, Quorum

Recently there seems to be a higher than normal run of information security leaks that have dropped across the pages of almost any newspaper and or online publication. It has become a somewhat predictable affair, so much so that it has led me to seriously consider trying my hand at running a raffle called “Yes it happened to me” every Monday on who is going to get breached in the coming week. I think there could be some entertainment (and likely some good money) in a raffle, as information security and data leakage has seriously become a free for all in the same way as an Ibiza pool party in summer.

It seems that despite all the information available from a variety of sources (Gartner, IDC, Forrester etc.) and all the multitude of security tools available (insert a million things here) it seems that IT as a whole is just not taking information security and data leakage seriously enough. Recently we have had some strong names collect the “Yes it happened to me” prize, remember Deloitte and the Australian aviation defence contractor (and that is only in the last 4 weeks).

The latest winner of the “Yes it happened to me ” prize is Heathrow airport. It appears that an unattended USB stick that was lost near the airport, was picked up by a random someone and they were able to read the contents of the data. Now the data on this USB stick was far from benign, in the way of an employee’s vacation snaps or pictures of their favourite puppy. No, the information on this little piece of $10 silicon contained something of considerable prize for anyone looking for it.

Instead of pictures of a cute puppy or a bad ass bachelor’s party, the USB drive contained documents which outlined routes and safeguards for the Queen, foreign dignitaries and top politicians.

Seriously ?

It gets better,  the USB drive also included maps showing where CCTV cameras are located, and escape routes for the Heathrow Express railway serving the airport.

Want more ?

There were also other files describing the ultrasound detection system for protecting the perimeter fence and the runways and details of the ID requirements for accessing every area of the airport.

Yes ladies and gents, you read that right. All of that information was easily removed from its source (supposedly secure), put on an unencrypted USB stick (and all the files were also in  unencrypted form I might add) and then lost in the street.

I am sure that I don’t need to tell an audience such as yourselves of where the crucible of responsibility for this carelessness ultimately resides; it is most certainly not with the employee with the hole in his or her pocket. This is IT 101, it was the first thing that you learnt when you sat down at the IT administrator’s console. For those that missed the lesson (the IT crowd at Heathrow Airport may wish to take some notes) here are some important attributes to remember:

-Data and information of such nature must always be encrypted; at rest and in transit

-The identities that access this data need to be protected and challenged with MFA where appropriate (such as in this case)

-Allowing removable device usage to store data of this type is highly negligent (to say the least)

-Even if the data is removed (i.e a hack or leak) it should be totally unreadable to anyone without the right device, credentials and access rights

The tools to prevent and solve this type of  pronounced problem are readily available, have a reasonably low cost to implement and can be deployed in a short time. One example that comes to mind is Microsoft 365 (Win 10 + EM+S + Office 365).  All of these tools in this stack could have been employed to provide the necessary barriers to stop the English newspapers from having a field day at Heathrow IT’s expense.

Why the IT crowd at Heathrow failed to provide even the most rudimentary forms of protection for this most sensitive of data is yet to be known and likely may never be publicly known.

Heathrow Airport…this week’s winner of the “Yes it happened to me” prize.

By the way, I am selling tickets for next week’s raffle !!

Check out the article below..


Share this post