back to article Remember that lost memory stick from Heathrow Airport? The terrorist's wet dream? So does the ICO

Heathrow Airport Limited (HAL) has been fined £120,000 by the UK's data watchdog for the loss of an unencrypted USB memory stick reportedly containing airport security data. The device misplaced by a HAL employee, as reported by El Reg, was said to house a trove of documents including routes and timings of airport security …

  1. Richard Simpson

    Use of old classification

    The presence of documents containing obsolete security classifications is not necessarily surprising. In an astonishing example of governmental common sense, when the new classifications came out (3 or 4 years ago) there was no requirement to re-classify existing documents unless and until they were changed.

    1. Gordon 10

      Re: Use of old classification

      Its a good point but Im not clear on the relevance to the story anyway. Surely if HAL are a private company the names they give their security classifications are irrelevant when compared to similarly named ones used in Government? Its the definition of those classifications which are important.

  2. Zippy´s Sausage Factory
    Trollface

    Makes sense

    They can't even serve you decent coffee at Heathrow, why should their security be any better?

    1. Korev Silver badge
      Joke

      Re: Makes sense

      You sound like you've got some baggage there Zippy, was your bag latte or something?

    2. RegGuy1 Silver badge
      Megaphone

      Re: Makes sense

      Well my advice is don't go to Pret a Manger:

      https://www.bbc.co.uk/news/business-45731201

    3. RogerT

      Re: Makes sense

      I was unaware that it was coffee they served there

      1. Muscleguy

        Re: Makes sense

        It can be hard to find proper coffee generally in the UK. You can get it elsewhere so I know it can be done the coffee in NZ for eg is bloody excellent. I blame passive consumers. If nobody went to the big bland chains they would go out of business.

        It's the same with unripe fruit in the supermarkets. Again having grown up in NZ I know what ripe fruit is and a vast proportion of supermarket fruit in the UK is vastly unripe. I adore apricots but haven't bought any in years, in the UK as they are universally small, hard and very, very sour. Pretty much the opposite of what an apricot should be and which I know it could be. The number of people who I have taught to recognise a good watermelon after they see me holding one up and tapping it with a fist (it should ring like a bell, if you get a dull thud, put it back). For cantaloupe type melons you have sniff them, no or little smell, put it back. The list goes on and it exists because British consumers are passive and do not demand ripe fruit or refuse to buy the unripe stuff.

  3. DJV Silver badge

    Yes, but...

    ...more importantly has a HAL PR drone issued a press release saying something like "security is our highest priority" so that we can all snigger and laugh even more at their expense/lies/bulllshit?

    1. Anonymous Coward
      Anonymous Coward

      Re: Yes, but... re hal drones

      the job of any drone is to drone (and I suppose they're well-paid for droning any nonsense the ueber-drone tells them to drone about as of today).

      1. Rattus
        Trollface

        Re: Yes, but... re hal drones

        drones aren't alowed anywhere near airports....

    2. Geekpride

      Re: Yes, but...

      "Security is our highest priority, and we can reassure the public that the data on this memory stick would not allow any unauthorised opening of pod bay doors."

  4. Anonymous Coward
    Anonymous Coward

    The Queen

    Now has to be smuggled through Heathrow as part of a hen-do to Malaga until she can make an escape via a hidden door behind the giant bars of Toblerone in duty free.

    1. Ken Moorhouse Silver badge

      Re: The Queen

      Was planning to go to Magaluf on the 27 Oct 18, but you've ruined her plans now.

    2. MyffyW Silver badge

      Re: The Queen

      If her Maj really does take the same route every time, surely that in itself is a risk?

      1. imanidiot Silver badge

        Re: The Queen

        In public they'll usually use various randomly chosen routes to minimise the chances of someone figuring it out. In a supposedly secure area like the "backend" of an airport it should be possible to use the same route. Because it's a rather small area with a limited number of entrances, probably a fixed "royal lounge" and a fixed ramp for the aircraft that means there's little to vary in the approach and departure routes on the airport itself anyway.

  5. smudge

    a national newspaper, which recorded the data

    Yes I know the information should not have been lost, but is "recording" it legal? Noting its contents, maybe, but recording it? What if it was personal data? Presumably there is case law on this.

    And I don't like the idea of viewing it first at a library. Do library PCs have open, functional USB ports? Was the finder worried that there might be malware on it? (And did a qualified security bod sanitise the library PC afterwards?)

    1. ibmalone

      Re: a national newspaper, which recorded the data

      And I don't like the idea of viewing it first at a library. Do library PCs have open, functional USB ports? Was the finder worried that there might be malware on it? (And did a qualified security bod sanitise the library PC afterwards?)

      Probably the second safest option (after not connecting it to anything) from the finder's point of view. Library computer USBs will allow connecting storage devices because one of their purposes is to let people get data off or on (e.g. for emailing), they're there to give the general public access to IT.

      Interesting question though, what is the properly paranoid approach, assuming you need to read an untrusted USB device? If you're willing to believe it may have some way of compromising the machine, or at least the USB interface, then maybe it's use once and dispose of all hardware (or at least, replace all EEPROM and BIOS as well as wipe disc)?

      1. Anonymous Coward
        Anonymous Coward

        Re: a national newspaper, which recorded the data

        > Interesting question though, what is the properly paranoid approach, assuming you need to read an untrusted USB device?

        Use a dedicated sanitizer device such as https://www.circl.lu/projects/CIRCLean/

        1. ibmalone

          Re: a national newspaper, which recorded the data

          Use a dedicated sanitizer device such as https://www.circl.lu/projects/CIRCLean/

          That's a nice answer, probably does do the job (at least, it's hard to believe an arbitrary good USB flash drive could be compromised to propagate the attack further), and looks like it's from people who know what they're doing. However when there are things like this in the mix https://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ it's hard to say that you can't attack the device, even with allowed device classes locked down (to avoid all the peripheral spoofing types of attack), especially the sanitiser is a standard computer. Once you've got control of the sanitiser you can't guarantee what's been written to the 'clean' device is safe. I might be wrong, but it seems some storage devices will accept firmware updates and presumably you need to avoid those.

          An attacker who'd gained control of the sanitiser could also attempt to include filesystem handling attacks and compromised files on the output device, but those you can at least handle by analysing from a VM and wiping it afterwards. Attacks on the interface itself seem (to me) harder to deal with, since the attacker potentially has the host OS and therefore the ability to get to the BIOS and other hardware. I suppose I was hoping for some protocol level device that could buffer and sanitise the connection. Admittedly a USB firmware worm that will propagate over a Pi seems like quite a sophisticated hypothetical attack,

          1. Hans 1

            Re: a national newspaper, which recorded the data

            I might be wrong, but it seems some storage devices will accept firmware updates and presumably you need to avoid those.

            No, device makers need to get their act together and enforce encrypted and/or signed firmware images. You need to be able to update the firmware when flaws are found, right ?

            1. ibmalone

              Re: a national newspaper, which recorded the data

              I might be wrong, but it seems some storage devices will accept firmware updates and presumably you need to avoid those.

              No, device makers need to get their act together and enforce encrypted and/or signed firmware images. You need to be able to update the firmware when flaws are found, right ?

              In general, yes, if the thing could conceivably need firmware updates. For a flash drive? It's one use case where immutable may be better. There's not much you can do to attack it directly when plugged in, except possibly re-program it to attack the next computer it's plugged into. (You've got direct access to the storage anyway, so data destruction is not something you need to exploit a bug in the firmware for, and if there's a serious enough bug to cause data loss then you scrap it and get on with life.)

        2. Anonymous Coward
          Anonymous Coward

          Re: a national newspaper, which recorded the data

          It sounds like something the library or any other place with shared computer usage should have. The scan should be run by the personnel running the place before the flash drive is allowed to be used in their equipment.

      2. smudge

        Re: a national newspaper, which recorded the data

        If you're willing to believe it may have some way of compromising the machine, or at least the USB interface, then maybe it's use once and dispose of all hardware (or at least, replace all EEPROM and BIOS as well as wipe disc)?

        Actually, when I said "sanitise", I was thinking of ensuring that it doesn't have any classified material still on it. But the possibility of malware is, of course, a real problem - probably more of a risk than, say, having some confidential information in a disk sector that had been part of the page file.

        1. Hans 1
          Coffee/keyboard

          Re: a national newspaper, which recorded the data

          probably more of a risk than, say, having some confidential information in a disk sector that had been part of the page file.

          Paging onto a USB flash drive ?????

    2. frank ly

      @smudge Re: a national newspaper, which recorded the data

      The reason the newspaper made a copy was in case HAL then denied that it had ever lost the USB stick. That would not be beyond the bounds of possibility or reason.

      Also, it would have been useful if HAL then did lose the returned USB stick and asked for a copy for its investigations.

    3. Doctor Syntax Silver badge

      Re: a national newspaper, which recorded the data

      but is "recording" it legal?

      That was my thought too. What penalty has ICO imposed on them? Or is there to be a prosecution under computer misuse? The stick serves as a proxy for the computer on which the data was kept.

      I suppose the get-out is that the only evidence that a copy was made would be the operator's own evidence which would amount to self-incrimination and might not be allowed.

    4. Anonymous Coward
      Anonymous Coward

      Re: a national newspaper, which recorded the data

      Working for a local authority I love the idea that someone thought it might be malware and so used library PCs to check it :) having said that, funnily enough it is something that we think of with the design of public access machines and our devices completely refresh all changes to a known state using Faronics Deep Freeze. I suspect there are some authorities out there that don't go to these lengths though!

      1. Alan Brown Silver badge

        Re: a national newspaper, which recorded the data

        I suspect most authorities out there that don't even think about this kind of issue, let alone go to these lengths.

        FTFY

    5. Cynical Pie

      Re: a national newspaper, which recorded the data

      Certainly from a DP Perspective there is a specific exemption for journalism that would allow them to process the data but can't speak for the other categories of data

    6. Jonathan Richards 1

      Re: a national newspaper, which recorded the data

      If there were documents marked RESTRICTED or CONFIDENTIAL, as reported, then by definition it's an offence under the Official Secrets Act to have a copy unless you're an authorised person. The newspaper would have known this, but their lawyers probably told them that they estimated that the Crown Prosecution Service would not consider a prosecution to be in the public interest. I very much hope that they also stored their copies on disposable hardware: the security authorities might otherwise demand cleansing of their server networks. Look what happened to the Guardian's hard disks.

      1. Alan Brown Silver badge

        Re: a national newspaper, which recorded the data

        "If there were documents marked RESTRICTED or CONFIDENTIAL, as reported, then by definition it's an offence under the Official Secrets Act to have a copy unless you're an authorised person. "

        I must remember to tag all my shopping lists as "RESTRICTED" and then invoke the OSA when plod wants to see them.

  6. Sixtysix
    Black Helicopters

    The 2% - and not interested

    Obviously Elites... except, D'Oh

    How any org (that deals with secure information) can think not training staff in Information Security is a good idea these days beggars belief.

    The REAL eyeopener was the ICO having a complete lack of interest in the "marked" files: WTF? Guess they assume that HMG / Police / GCQH will pick up the slack... ?

    I do wonder if a head rolled.

    1. Doctor Syntax Silver badge

      Re: The 2% - and not interested

      "How any org (that deals with secure information) can think not training staff in Information Security is a good idea these days beggars belief."

      Being trained isn't quite the same thing as having been on a training course.

  7. drdr6

    Annual revenue HAL 2017 £2884M, fine 0.12M

    Fine = 0.004% of revenue

    If the government were serious about security it would give the powers to fine at least single digit percentages of revenue. This isn't even a slap on the wrist, more like a grain of sand in a shoe.

    1. ibmalone

      Happened in 2017, so fell under the old laws. That does mean the cap would have been £500k, but I suppose approach to determining the fine would have also had to be in line with the previous practice, rather than working it out as if it had happened after and then applying the cap.

      1. Zimmer
        FAIL

        Fines? Pah!

        If you fine a company it will only recover the costs through its customers, that's you and me, via increased prices.

        Jail for accountable senior executives is possibly the only answer to them taking our data (anybody's data) seriously.

        1. Sureo

          Re: Fines? Pah!

          Yes who was the dimwit anyway walking around the public area with that usb stick then losing it?

          1. Version 1.0 Silver badge

            Re: Fines? Pah!

            who was the dimwit

            Probably the PHB, had it been the PFY then he would have been crucified by now in public.

            1. Doctor Syntax Silver badge

              Re: Fines? Pah!

              "had it been the PFY then he would have been crucified by now in public."

              In which case something even nastier, probably involving insecure windows or faulty lifts, rolls of carpet and quicklime would have happened to the PHB.

        2. Graham 32

          Re: Fines? Pah!

          >f you fine a company it will only recover the costs through its customers, that's you and me, via increased prices.

          True, but they should have charging higher prices and using the money to improve training, processes, monitoring etc.

  8. Anonymous Coward
    Anonymous Coward

    Restrictive?

    The old security classification would have been RESTRICTED, not restrictive.

  9. This post has been deleted by its author

    1. Stoneshop
      Facepalm

      Re: Re. Restrictive?

      Also yes if you find something like this the "right" thing to do is hand it in *IMMEDIATELY* to someone who knows what classified data is

      And how would you know there could be confidential data on a stick, and not cat vids, without you plugging it in? People generally don't put labels "STRICTLY COMPANY CONFIDENTIAL" on such things, although there are ones that are sufficiently stupid to do so.

  10. The Pi Man

    How hard can it be?

    Yet again I’m left asking why an organisation allows an employee to copy data to a USB stick. Do these places not have secure VPNs that enable staff to work remotely without having sensitive information copied outside the secure perimeter?

    1. Simon Brady

      Re: How hard can it be?

      Yet again I’m left asking why an organisation allows an employee to copy data to a USB stick.

      Maybe the stick was labelled "Lady Gaga".

  11. Herby

    Makes me wonder...

    What would happen if you left a USB stick lying around with "important" information. Probably some BOFH type information that might get the "boss" in hot water.

    Of course, it would all be made up, but convincing.

    Then wait for the after action and laugh very hard.

    Project. HAL 9000?

  12. Anonymous Coward
    Anonymous Coward

    "Queen's exact route used each time she travelled"

    Not amused.

    Betty now has to go via Claxton, Bexhill-on-Sea, Slough and Lower Slaughter each time she is driven to Heathrow!

    1. Christoph

      Re: "Queen's exact route used each time she travelled"

      The day we went to Heathrow

      By way of Inverness

  13. Andy Denton

    "Timings and routes of security patrols"

    Whilst there may be defined patrol routes, the last thing you want is to execute these patrols in a predictable manner, especially in a high security environment. If your patrol management software doesn't cater for this, buy better software.

    1. Valeyard

      Whilst there may be defined patrol routes, the last thing you want is to execute these patrols in a predictable manner,

      I agree, and I'm not some joe public here, I've played enough commandos: behind enemy lines to be qualified to have an opinion on this.

    2. Hans 1
      Holmes

      I am not into security patrols at all and also thought that was a rather dumb strategy. Even Brinks know that, come on!!!!! Ok, they learned it the hard way ...

    3. Alan Brown Silver badge

      "the last thing you want is to execute these patrols in a predictable manner"

      OTOH you may run scheduled patrols and intersperse them with random unmarked ones to catch the numpties trying to dodge them.

  14. Christoph

    You only need a single hole in security to lose

    Search all the baggage and the passengers. Armed police everywhere. Strict controls on who can enter certain areas. Highly visible security everywhere you look. And then leave the security specs lying around on a USB stick.

    Someone is more into security theatre than actual risk analysis by real experts.

    1. Mr. Flibble

      Re: You only need a single hole in security to lose

      Security Theatre? That's airports generally... Well, and beig full of pointless no-cheaper-than-elsewhere shops...

  15. Anonymous Coward
    Anonymous Coward

    Hmmm...

    ..."boardroom issue"

    In some of my experience the people in the boardroom are the ones that actually don't understand security and sometimes actually try to bypass it due to "do you know who I am?".

    Local councillors are notorious for it.

  16. Stevie

    Bah!

    Airport security is lax?

    Who knew?

    I mean, it's not like the baggage handlers are just hired off the street is it?

    Anyway, everyone knows the real threat is the bottle of shampoo or hand sanitizer passengers willfully try and smuggle on the plane.

  17. Anonymous Coward
    Anonymous Coward

    RE. Re. restrictive?

    Should probably have made it clear that I have been in this situation before.

    Decided that the "right" thing to do after verifying the contents on a standalone and then-fully-forensically-wiped machine was to hand the drives in anonymously.

    A prepaid padded envelope is actually available for this purpose if you ask the right people.

  18. anonymous boring coward Silver badge

    Have they heard of this thing called "encryption"?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like