Editorial

MoD and Home Office declare almost 1000 lost and stolen devices

FoI request highlights increase in lost devices and data breaches across government departments.

Posted 22 March 2023 by Christine Horton


The Home Office declared 469 lost and stolen devices between September 2021 and September 2022, with the Ministry of Defence (MoD) not far behind with 467 mobiles, tablets and USB devices unaccounted for.

The figures come from a Freedom of Information (FoI) request submitted to 14 government departments into the security of devices held by public sector employees by USB manufacturer, Apricorn.

They show Her Majesty’s Revenue and Customs (HMRC) declared 635 lost and stolen devices including 387 mobiles, 244 tablets and four USB drives. This is a 45 percent increase on the numbers shared for the same period in 2020-2021 (346) and 40 percent more than 2019-2020 (375). 

Further to that, the Department of Business, Energy and Industrial Strategy admitted to 204 lost and stolen devices – almost double the 107 declared in the previous year. The Prime Minister’s Office also reported 203 misplaced devices. 

“We have asked these same questions via these FoI requests for the last three years and whilst it’s not surprising to see devices unaccounted for, we would hope to see the numbers declining as cybersecurity becomes more established,” said Jon Fielding, managing director, EMEA Apricorn.

Ministry of Justice breaches

Despite requests, The Ministry of Justice (MoJ) declined to provide answers to the FoI questions posed. It has, however, provided information in previous years which highlighted 345 lost and stolen devices, and 2152 data breaches between September 2020 and September 2021.

However, Apricon said research into the MoJ Annual Report which covers April 2021-March 2022, uncovered “a huge number of breaches” declared to the Information Commissioner’s Office (ICO).

The firm noted: “Most disturbing being the disclosure of a Covid status spreadsheet of 1,800 staff and offenders sent by email to all staff within a prison. This contained the confidential data for offenders and staff, including health data. Another 1400 MoJ employees were potentially affected when a compromised Office 365 account allowed access to personal data. 

“Further to that, there were 5,782 security incidents that were not deemed necessary to report to the Information Commissioner’s Office for 2021-22, including loss or theft of information assets from secured government premises and outside secure premises, as well as insecure disposal of inadequately protected electronic equipment, devices or paper documents.”

“It’s worrying to think that a government entity that holds so much responsibility, and retains so much sensitive and personal information, can pose this much risk,” said Fielding. “The number of recorded security incidents, whether reported to the ICO or not, should alarm security teams. A good place to start would be through education and awareness. It’s not simply about putting critical policies in place, but equally ensuring that awareness is maximised among employees so that the risks associated with applications, actions and devices are understood.” 

Encryption the norm for devices

The Foreign, Commonwealth and Development Office (FCDO) also declined to respond to requests, but its Annual Report for 2021-22 recorded 117 personal data incidents between March 2021 and April 2022. Ninety-six were considered personal data breaches under UK General Data Protection Regulation (UK GDPR), 76 of which were deemed human error 76, two were tech issues, 10 resulting from partners across government (PAG) and supplier and eight were deliberate contraventions. The FCDO also had 16 incidents considered serious enough to be reported to the ICO. 

The Department for Education (DfE) confirmed the loss and theft of 356 devices, including 296 USB drives.

Importantly however, allof the government departments asked, confirmed the missing devices were all encrypted as standard.