Government departments reveal extent of recent data security breaches following series of FoI requests

NHS Digital recorded a total of 393 lost or stolen devices in the year to September 2021, including 52 mobile phones, 19 laptops and 3 tablets. A further 319 laptops were recorded as lost due to having no record of their disposal.

These numbers were uncovered by Freedom of Information requests submitted by secure storage provider, Apricorn, to 16 government departments.

Despite the number of misplaced devices, NHS Digital were not required to notify the Information Commissioner’s Office of any lost or stolen devices in the past year as these incidents related to encrypted devices and were unlikely to result in a risk to individuals’ rights and freedoms as required under Article 33 of the UK GDPR.

“Lost and stolen devices are, in most part, unavoidable. However, there are still a large number of loses, anyone of which could very easily put sensitive public data at risk,” said Jon Fielding, managing director, EMEA, Apricorn. “Fortunately, in the case of NHS Digital, despite the mishap in recording the disposal of a large quantity of laptops, their security processes ensured that all these devices were encrypted, and as a result, the data they housed was protected.”

FoI requests submitted to the Ministry of Justice revealed a total loss of 184 mobile phones, PCs, laptops and tablet devices in the same period compared with 161 during the prior 12 months. The FoI request also revealed that the MoJ declared some 2,152 data breaches in that time (September 2020 and September 2021).

Research into the Home Office’s Annual Report and Accounts 2020-21 also highlighted a considerable loss of 1,150 inadequately protected electronic equipment, devices or paper documents from outside secured government premises, and a further 1,085 from within secured government premises. The Home Office reported a further 2,229 data incidents via unauthorised disclosure, 157 incidents through insecure disposal of inadequately protected electronic equipment, devices or paper documents and 351 via ‘other’ data incidents.

HMRC’s number of lost and stolen devices in the year to September 2021 totalled 346, a drop on the 375 misplaced during the prior 12 months. Some 111 of those devices were lost in tracked transit and suggested that the number of losses during transit reflect the higher volumes of movements to and from staff working from home as a result of COVID-19 restrictions.

The Department for Education confirmed it had lost, or reported stolen, 116 devices between September 2020 and September 2021. This was 23 fewer than 2020.

The Department for Business, Energy and Industrial Strategy said it had misplaced 107 devices compared with 193 the previous year, while the House of Commons confirmed a total of 15 devices had been lost or stolen compared with 38 in 2019/20, and the House of Lords declared 7 lost or stolen, one less than 2019/20.

“Whilst it’s great to see the numbers declining for a number of government departments, big or small, these losses and subsequent breaches of information prove that there is still work to be done. These departments must educate their employees on data security best practices and recognise that security and compliance are not a tick box exercise, but one that requires continual effort through enforced policy, processes and technology,” Fielding added.

When asked about whether the lost or stolen devices were encrypted, all but one of the responses from government departments confirmed that all devices were encrypted. Public Health England declined to respond.

    Share Story:

YOU MIGHT ALSO LIKE


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.