Government departments recording large numbers of lost and stolen devices

Freedom of Information requests were submitted to 16 government departments into the security of devices held by employees

Posted 13 January 2022 by Christine Horton

NHS Digital recorded a total of 393 lost or stolen devices between September 2020 and September 2021, including 52 mobiles, 19 laptops and three tablets.

The information was uncovered via Freedom of Information (FoI) requests submitted to 16 government departments into the security of devices held by public sector employees by hardware-encrypted USB drive manufacturer, Apricorn.

As part of the 393 devices, NHS Digital says 319 laptops were disposed of. The FoI confirms this, however it states they had to be recorded as lost in addition to the other figures as they did not have a record of the disposal.

Despite the number of misplaced devices, NHS Digital was not required to notify the Information Commissioner’s Office (ICO) of any lost or stolen devices as these incidents related to encrypted devices. These were unlikely to result in a risk to individual rights and freedoms as required under Article 33 of the UK GDPR.

Apricorn says all organisations, whether they operate in the commercial or public sector, should take heed of the level of mitigation encryption brings in a breach event.

“Lost and stolen devices are, in most part, unavoidable. However, there are still a large number of loses, anyone of which could very easily put sensitive public data at risk. Fortunately, in the case of NHS Digital, despite the mishap in recording the disposal of a large quantity of laptops, their security processes ensured that all these devices were encrypted, and as a result, the data they housed was protected,” said Jon Fielding, managing director, EMEA, Apricorn. 

Meanwhile, FoI requests submitted to the Ministry of Justice (MoJ) revealed a total loss of 184 mobile phones, PCs, laptops and tablet devices in the same period compared with 161 in 2019/20. It comes after the MoJ admitted to 16 incidents of data breaches over the last two years.

Huge losses

Research into the Home Office’s Annual Report and Accounts 2020-21 also highlighted a huge loss of 1150­ inadequately protected electronic equipment, devices or paper documents from outside secured government premises, and a further 1085 from within secured government premises. Additionally, it reported a further 2229 data incidents via unauthorised disclosure, 157 incidents through insecure disposal of inadequately protected electronic equipment, devices or paper documents and 351 via ‘other’ data incidents. 

Her Majesty’s Revenue and Customs (HMRC) shared detailed information on the number of lost and stolen devices between (September 2020 and September 2021), which totalled 346, a drop on the 375 misplaced in 2019-2020. HMRC also noted that 111 of those devices were lost in tracked transit and suggested that the number of losses during transit reflect the higher volumes of movements to and from staff working from home as a result of COVID-19 restrictions.  

The Department for Education (DfE) also confirmed it had lost, or reported stolen, 116 devices between September 2020 and September 2021. This was 23 fewer than 2020, but still worryingly high and exceeds the 91 lost devices highlighted in the 2019 findings.  

The Department for Business, Energy and Industrial Strategy misplaced a total of 107 devices compared with 193 last year, while the House of Commons confirmed a total of 15 devices had been lost or stolen compared to 38 in 2019/20, and the House of Lords declared seven lost or stolen, one less than 2019/20. 

“Whilst it’s great to see the numbers declining for a number of government departments, big or small, these losses and subsequent breaches of information prove that there is still work to be done. These departments must educate their employees on data security best practices and recognise that security and compliance are not a tick box exercise, but one that requires continual effort through enforced policy, processes and technology,” said Fielding. 

When questioned about whether the lost or stolen devices were encrypted, all but one of the responses from government departments confirmed that all devices were encrypted. Public Health England declined to respond. 

Of those that responded, just five government departments confirmed they have a data backup in place. Additionally, all those questioned declined to respond, or would neither confirm, nor deny if they had been subject to any ransomware demands in the past year.