Heathrow security plans ‘found on USB stick left in the street’

This weekend British tabloid newspaper The Sunday Mirror warned of a potential “risk to national security” after a memory stick containing sensitive information about Heathrow airport was reportedly “found in the street.”

If the report is to be believed, an unnamed unemployed man found a USB stick lying amid the leaves on Ilbert Street, in Queen’s Park, West London – miles away from Britain’s busiest airport.

At least 174 documents were said to be on the unencrypted USB drive, including some marked as “restricted” or “confidential” detailing the precise route used by the Queen when she uses the airport, and security measures in place to protect government ministers and foreign dignitaries.

Other information allegedly contained on the device included details of:

  • the types of ID required to access restricted areas.
  • the location of CCTV cameras, and a network of tunnels and escape shafts linked to the Heathrow Express.
  • timetables followed by security patrols to guard against terror attacks and suicide bombers.
  • the ultrasound radar system used to scan the airport’s perimeter fence and runways.

According to The Sunday Mirror the unnamed man only realised what was on the memory stick when he took it to the library a few days later:

“I was curious about what it contained so a few days later, when I went back to the library, I plugged it into the computer. All these files were there. I couldn’t believe it.”

He’s right. It is hard to believe.

The United Kingdom is on high alert to be on the lookout for potential terrorist acts, and high security at high-risk targets such as Heathrow airport would be expected to be in place.

A Heathrow spokesperson said security was being reviewed in light of the incident:

“Heathrow’s top priority is the safety and security of our passengers and colleagues. The UK and Heathrow have some of the most robust aviation security measures in the world and we remain vigilant to evolving threats by updating our procedures on a daily basis. We have reviewed all of our security plans and are confident that Heathrow remains secure. We have also launched an internal investigation to understand how this happened and are taking steps to prevent a similar occurrence in future.”

Some obvious questions come to mind:

  • Was the USB drive really found lying in the street by someone who then took it to a tabloid newspaper? Or had it been planted there by somebody who wanted to highlight the poor security at the airport, but for reasons best known to themselves wanted to distance themselves from a data breach?
  • Have the security teams at Heathrow confirmed that the data contained on the USB stick is accurate and current rather than false or out-of-date? This may help investigators pinpoint when and how the information was collated.
  • Does Heathrow airport allow staff to use unencrypted USB drives, and what data leak prevention technology is in place to make it harder for sensitive information to leave the network?
  • Are audit logs in place to determine who accesses sensitive information and when, and are there tight controls over who has access to Heathrow’s security plans?

The answers to these questions may never be made public, and it is possible we will never know how the sensitive data ended up lying unencrypted on a London street.

But that’s no reason for other companies not to take a long hard look at what they are doing to prevent sensitive data from leaving their network, to ensure that if confidential data is placed on memory sticks that they are protected by strong encryption, and to put tighter controls in place to avoid unauthorised access to your organisation’s secrets in the first place.

Author Graham Cluley, We Live Security

  • Mark Jacobs

    I am beginning to think that this lackadaisical approach to data security, demonstrated by most large organisations, is deliberate. This is so that they can dispose of the old models of security, and go for a wholesale approach centred around implanted chip technology. If you aren’t “chipped”, you can’t do any business and you can’t access anything sensitive, globally.

Follow us

Copyright © 2018 ESET, All Rights Reserved.