LONDON - Britain's Heathrow Airport has been fined 120,000 pounds ($156,000) by the country's data protection regulator for "serious failings" in securing personal data held on its systems.

The breach by Heathrow, the busiest airport in Britain and Europe, came to light after an employee lost a USB stick last year which contained personal data on a small number of individuals including staff, which was not password-protected or encrypted.

The regulator, the Information Commissioner's Office (ICO), carried out an investigation as a result.

"Data Protection should have been high on Heathrow's agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise," the ICO said in a statement on Monday.

Under new legislation on data protection, the EU's General Data Protection Regulation, which has been introduced since the date of Heathrow's failings, the airport could have faced a much larger fine.

Amongst the ICO's concerns were that only 2 percent of Heathrow's 6,500 staff had received data protection training.

Heathrow is owned by Ferrovial, Qatar Investment Authority, China Investment Corporation and other investors.

($1 = 0.7669 pounds)

(Reporting by Sarah Young; editing by Kate Holton) ((sarah.young@thomsonreuters.com; +44 20 7542 1109; Reuters Messaging: sarah.young.thomsonreuters@reuters.net))