Dangerous data breach at Heathrow: How insiders can threaten public safety
Dangerous data breach at Heathrow: How insiders can threaten public safety

A terrifying situation occurred recently for anyone who flies. A USB stick was found by a man in the streets of London. He took it to the library to examine it and found that it contained more than 70 unencrypted security files from Heathrow International Airport. The files included extremely sensitive documents covering security measures and the route taken by the Queen of England when traveling, data regarding ID types needed to access restricted areas of the airport, airport patrol schedules, routes and safety information for government dignitaries, and maps identifying Closed Circuit TV (CCTV) cameras, as well as tunnels and escape routes linked to the Heathrow Express rail link.

This type of data would enable the most horrendous of attacks on innocent travelers. With knowledge of security resources, locations, schedules and capabilities, an attacker could potentially penetrate deeper beyond security checkpoints and further increase the damage of a terrorist attack.

According to Airports Council International (ACI), a global trade representative for global airport authorities, Heathrow had the second largest number of passenger transits in the world in 2016, and the largest in Europe. As far as targets for potential terror attacks go, Heathrow would rank among the highest.

This breach constitutes a public safety and a national security risk.

Just how this data was taken is still unknown and being investigated by Heathrow authorities. It is possible that an external attacker was able to penetrate a network vulnerability remotely and take the documents from an unsecured or compromised computer – the hacker then inadvertently dropping the USB stick in public. Unlikely. It is also possible that whoever originally possessed the USB device had authority to do so and merely lost it accidentally without taking the precaution of encrypting the files. Careless. Possibly the worst scenario is that someone trusted within the airport with legitimate access deliberately copied the documents to the USB stick in order to plan or help devise a terror attack.

Which scenario seems most likely?

The fact that any of these scenarios – and more – are possible illustrates how vulnerable the most sensitive information is. Computer systems and networks affecting public safety and national security need holistic security architectures that offer protection from both external threats (such as network intrusions, malware and ransomware attacks, etc.) and internal threats caused by trusted insiders – whether they breach security deliberately or by accident.

It is implausible that this was the result of an external intrusion. The proximity between where the USB device was found (London streets) and the origin of the files (London Heathrow) suggests strongly and obviously that this required physical access to the files and any systems from which they were originally located.

It also seems unreasonable to assume that an airport security professional, with access to this kind of data, would copy such files to a removable device with no encryption. While possible, in today's climate, anyone who works for a security organisation, particularly one associated with a large, global airport, would be unlikely to have acted so carelessly with this type of data, much less leave the premises with it and unwittingly drop it on the streets of London.

Based on what little is known about this breach, it is most reasonable to assume that this was an act by an insider with access to sensitive security data and likely an intelligence gathering action, possibly to prepare for yet another disastrous attack designed to deliver massive destruction and to spark fear among citizens around the world.

Whatever the scenario, this report starkly illustrates the dangers that trusted insiders can pose to public safety and national security. Many organisations and enterprises lower their defences to potential threats when an employee joins the team and becomes an insider. Where public safety is concerned, this is untenable.

To be clear, we don't know what security assets Heathrow may have in place to identify insider threats. It may turn out that it deploys technology to monitor all activities on computers as a matter of public safety. If so, airport security would be able to quickly determine the source of this breach. Can we expect this to be the case in other airports and government agencies trusted to protect citizens across the world?

The ability to track, via computer systems, every move by airlines and airport personnel - from the check-in counter and baggage tracking, to security and the air traffic control tower – is absolutely critical to ensure that insiders aren't putting the public at risk. No system is protected when a trusted insider can access and download sensitive data and walk out the doors with it—unless there is some form of alert.

Even the best network and computer security architecture designed only to protect against outside intrusions would be rendered useless to a breach by an employee with authorised physical access to systems containing sensitive information.

British authorities are trying to determine who may have accessed the files and copied them to the storage device. Most traditional endpoint security technologies, such as antivirus and firewalls, focus on preventing external intrusions. But they typically would not send an alert or prevent an employee from taking data off the system to which they have access.

This leaves the massive public safety risk of insiders' activities being undetected and investigations possibly crippled to determine whether a breach of this nature and others are accidental or deliberate.

Patrick Knight, senior director of cyber strategy and technology, Veriato,

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.