Most of the data breaches you hear about in the news are from external hackers infiltrating a network and stealing credit cards, personal data or intellectual property. You don’t always hear about the oops or mistake that caused the same problem from a trusted insider. This past week Heathrow Airport and London’s Metropolitan Police were scrambling to find out how security plans for the airport that included those related to Queen Elizabeth wound up on a USB stick found on a London street.
The USB memory stick had about 2.5 GB of unencrypted data, including details of the route used to convey Queen Elizabeth to the airport, details of every type of identification required to access restricted areas, a timetable of patrols around the airport perimeter and a map of CCTV cameras, tunnels and escape shafts. Heathrow and the London Metropolitan Police launched an investigation to discover how this information ended up on a street.
Fortunately a member of the public found the USB drive and gave it to the police. The drive had close to 200 documents that included radio codes used in the event of a hijacking, maps and screening processes for VIP-only areas of the airport, including the so-called Royal Suite. Many of the documents were marked confidential or restricted. This incident has raised questions about data security at Heathrow and concerns of whether the information might have been obtained by terrorists or foreign intelligence agencies.
The cause of the breach is unknown to date, but there are a few possibilities.
- An employee copied the documents onto the USB stick and lost them accidentally
- A contractor or supplier did the same
- Someone with malicious intent copied the documents and intended to sell them or use them to undermine security and cause harm
This points to someone not following proper procedure for handling sensitive data or a breach in security that allowed an unauthorized person to access this information and walk out the door with it. Whether it was an oops from an employee or a problem with security in the supply chain, the results are the same.
CEOs, CISOs, CIOs and boards should be concerned about the possibility of this happening in their organizations. The most egregious issue is that sensitive documents were not encrypted thereby allowing anyone to access the security details of the airport. Allowing users to make the decision on what to encrypt may not be the best approach, since people can make mistakes. A better approach is encrypt documents when users create them. This automatic process can be based on information within the document or the role of the person in the organization.
One would assume that people creating security plans for Heathrow are in positions where any document they create is sensitive and should be encrypted and controlled. By encrypting them as a user saves them and assigning a dynamic security policy that protects them at all times, Heathrow and other organizations can ensure this type of event won’t recur. If the sensitive documents got into the wrong hands, the content would not be accessible.
While many organizations know this, they tend to focus on protecting the perimeter and the devices, rather than the data. If you try to prevent people from using a USB stick to transfer files, they will always find another way. It’s like playing whack-a-mole. It’s better to secure the data, then you know it’s always protected regardless of location.