Device security issues remain endemic across the public sector, with several departments reporting an increase in lost and stolen devices, despite internal audits and attempts to address the issue, according to FoI requests submitted by Apricorn. Some government departments are now declining to reveal their losses, making it harder to gain an accurate picture of device security.

Across the 17 departments questioned, more than 1,200 organisational devices were reported lost or stolen between January and December 2024. HMRC alone accounted for 804 of these losses, including 499 mobile phones. A large number of the reported phone losses were the result of an internal audit that flagged legacy devices replaced with newer models, highlighting ongoing inventory management challenges.

The House of Commons reported 100 devices lost or stolen during 2024, a significant increase from 65 devices the previous year. Similarly, the Department for Education saw device losses climb from 78 in 2023 to 107 in 2024.

The Department for Energy Security and Net Zero also reported a rise: from 122 lost devices in 2023 to 150 in 2024, while the Department for Science, Innovation and Technology reported 113 missing devices.

"Although HMRC’s numbers suggest some improvement following internal audits, the continued high levels of device loss across government departments show that fundamental issues have not been resolved," said Jon Fielding, managing director, EMEA, Apricorn. "Every lost or unaccounted device carries a risk for those individuals whose data could be exposed."

The findings also reveal the extent of personal data breaches, with The House of Commons disclosing 49 incidents involving personal data during 2024, up from 41 reported the previous year. Despite these breaches, the House of Commons has not had to disclose any such personal data breach to the Information Commissioner’s Office in this period.

Both the MoJ and the DfE refused to disclose details on data breaches and reports made to the ICO, citing exemptions under Section 24(2) of the Freedom of Information Act. The exemption states that there is no duty to confirm or deny whether the requested information is held if doing so would prejudice national security.

Fielding added, "This growing lack of transparency raises further questions about the true scale of data breaches occurring within government departments and the threat to data. Whilst all departments confirmed their devices are encrypted, they must be supported by strong back-up protocols, inventory control and employee awareness programmes. A holistic approach to data protection, including frequent audits, multiple back-up copies, and rigorous disaster recovery testing, is essential to minimise the risks posed by device loss and theft."

Apricon's research was conducted through Freedom of Information requests submitted via Whatdotheyknow.com in February 2025.

---