USB Drive Containing 2.5 GB of Sensitive Files Found on London Street
Security officials at Britain’s biggest airport have been left scrambling after a USB stick was found on a west London street that reportedly contained sensitive information.
See Also: How to Scale Your Vendor Risk Management Program
The USB memory drive contained 2.5 GB of unencrypted data, including details of the route used to convey Queen Elizabeth II to the airport as well as security measures, details of every type of identification required to access restricted areas, a timetable of patrols around the airport perimeter and a map of CCTV cameras, tunnels and escape shafts, the Sunday Mirror reports.
Heathrow Airport says it has launched an investigation and is working with London’s Metropolitan Police to trace how the drive and the information it contains ended up in a street.
The airport is owned and operated by BAA Limited, which also owns or operates six other British airports, and is itself owned by an international consortium led by the Spanish Ferrovial Group. London Heathrow serves as the main hub for both British Airways and Virgin Atlantic airlines.
“Heathrow’s top priority is the safety and security of our passengers and colleagues. The U.K. and Heathrow have some of the most robust aviation security measures in the world and we remain vigilant to evolving threats by updating our procedures on a daily basis,” a Heathrow spokeswoman tells Information Security Media Group.
“We have reviewed all of our security plans and are confident that Heathrow remains secure,” she adds. “We have also launched an internal investigation to understand how this happened and are taking steps to prevent a similar occurrence in future.”
The Sunday Mirror says it received the USB drive from a member of the public and has passed it to police. It says the memory stick contained at least 174 documents, some marked “confidential” or “restricted.” The USB drive, however, was reportedly not password-protected. The newspaper reports that the files include details of radio codes to be used in the event of an “aircraft hijacking” as well as a maps and screening processes for VIP-only areas of the airport, including the so-called Royal Suite located at Heathrow Airport Terminal 5 that’s used by members of the royal family, members of the cabinet and foreign dignitaries.
The data leak has triggered questions about the data security practices in place at London Heathrow, as well as concerns over whether the information might have been obtained by extremists or foreign intelligence agencies.
Data Leak Source: Unknown
Security experts say that it’s unclear where the fault may lie. The information could have been copied onto the memory stick by an airport employee, contractor or supplier and then lost. Or the data on the USB drive could have been compiled by an outsider who was able to purchase the information for sale on darknet marketplaces (see Police Seize World’s Two Largest Darknet Marketplaces).
“While on the surface it’s easy to agree and lambast Heathrow for a basic lack of cyber hygiene, I think at this stage it is important to wait for the facts,” David Stubley, who heads Edinburgh, Scotland-based incident response firm 7 Elements, tells ISMG. “It could just as easily be an issue within the supply chain or a third-party contractor not following procedure.”
CIOs: Reality Check Time
Stubley says in a blog post that every CEO, CISO and CIO should be using the incident to pose at least two questions inside their organization:
- “Are we vulnerable to the same type of data loss being reported in the media?”
- “What assurance activity have we done to confirm that we are not exposed, or that our controls work as expected?”
Britain has seen numerous data breaches result from lost hard drives, laptops, disks and memory sticks, oftentimes because such devices were storing data in unencrypted format. In 2008, for example, the Ministry of Defense admitted that 121 USB memory drives had been lost since 2004, and that at least some of those drives contained secret information.
Many organizations have security policies in place, enforced at the system level, that prohibit and block the use of unencrypted drives to try and prevent these problems. In such organizations, employees typically must apply for an encrypted drive, if the security department even makes them available, given the attendant data-loss concerns.
Heathrow declined to comment about whether it has such policies in place. Again, however, the lost USB drive may not be due to a London Heathrow employee, but rather an outside contractor or agency. If so, however, the data has clearly not been properly secured.
“There is certainly no getting away from the issue that unencrypted data at rest and the use of unencrypted USB sticks shows a clear lack of basic controls in place,” Stubley at 7 Elements tells ISMG. “The question will be where the root cause of this sits.”