Freedom of Information requests submitted to 14 government departments into the security of devices held by public sector employees have revealed that the Home Office has declared 469 lost and stolen devices between September 2021 and September 2022, with the Ministry of Defence not far behind with 467 mobiles, tablets and USB devices unaccounted for.

The FoI request, submitted by Apricorn, also shows that HMRC declared 635 lost and stolen devices including 387 mobiles, 244 tablets and 4 USB drives - a 45% percent increase on the numbers shared for the same period in 2020-2021 (346) and 40% more than 2019-2020 (375).

The Department of Business, Energy and Industrial Strategy admitted to 204 lost and stolen devices – almost double the 107 declared in the previous year. The Prime Minister's Office reported 203 misplaced devices.

“We have asked these same questions via these FoI requests for the last 3 years and whilst it’s not surprising to see devices unaccounted for, we would hope to see the numbers declining as cyber security becomes more established. Robust, regularly reviewed and tested policy and practice, with appropriate technology choices and implementation, supported by education and comprehensive backup and recovery strategy, is a must for optimum protection”, said Jon Fielding, managing director, EMEA Apricorn.

The Ministry of Justice declined to provide answers to the FoI questions posed, regardless of having provided information in previous years which highlighted 345 lost and stolen devices and an alarming 2,152 data breaches in that time (September 2020 and September 2021).

The Foreign, Commonwealth and Development Office also declined to respond to requests, but its Annual Report for 2021-22 recorded 117 personal data incidents between March 2021 and April 2022 - 96 were considered personal data breaches under GDPR, 76 of which were deemed human error 76, 2 were tech issues, 10 resulting from partners across government and supplier and 8 were deliberate contraventions. The FCDO also had 16 incidents considered serious enough to be reported to the ICO.

The Department for Education meanwhile confirmed the loss and theft of 356 devices, including 296 USB drives.

Fielding added: “The good news is that encryption is obviously recognised and in the case of government departments, mandated, as a critical component of device security. Hardware encrypted storage devices should be provided as standard to ensure that any sensitive data held on them should always be unintelligible if they happen to be misplaced and fall into the wrong hands. Additionally, encryption should be combined with the automation and enforcement of security policies through technology wherever possible.”

Share Story: