Not all cybersecurity risks are the stuff of super-secret code hacks or high-tech digital attacks. One of the biggest culprits: off-the-shelf thumb drives (also known as flash drives or memory sticks) that you can purchase online, at Walmart or at your local office supply shop. Lightweight and small enough to fit in your pocket, thumb drives can store massive amounts of data.
Yesterday’s stunning news from the UK underscores the risk of these common devices. A USB memory stick allegedly containing highly confidential Heathrow airport security information was found on a London street about 10 miles from the airport. The man who found the USB drive took it to a nearby public library, plugged it into a computer and quickly discovered that it was not encrypted or password protected – and reportedly was full of British intelligence information including 76 separate files with maps, videos and documents. According to UK news reports, the thumb drive had 174 documents, some of which were marked “confidential” or “restricted.” The documents are reported to have included:
Files disclosing the identification needed to access restricted areas at Heathrow airport;
Law enforcement patrol schedules used to guard against terror attacks and suicide bombers;
Security measures – including route information – used to protect Queen Elizabeth II, Cabinet ministers and foreign dignitaries at the airport;
Maps showing the location of surveillance cameras; and,
Details about an ultrasound radar systems used to scan runways and airport parameters.
Instead of turning the thumb drive over to law enforcement, the man gave it to the Sunday Mirror, which broke the news over the weekend and then turned it over to police.
An investigation is ongoing. It’s not known how the drive ended up on a London street or whether its contents have been compromised.
Incidents like this one raise fundamental questions for any organization that collects or stores sensitive information and whether it has appropriate controls in place to minimize this type of risk. Such controls could include disabling the USB port on company computers, implementing policies that restrict or preclude the use of USB memory sticks to download or transport data files, and providing encrypted devices for such use.