Government departments see rise in lost devices​​

​

Device loss remains endemic across the public sector, with several departments reporting an increase in lost and stolen devices according to Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB data storage devices, latest findings from its annual Freedom of Information (FoI) requests.

Despite attempts to address the issue, more than 1,200 organizational devices were reported lost or stolen between January and December 2024, with HM Revenue and Customs (HMRC) alone accounting for 804 of these losses, including 499 mobile phones.  While this represents a modest decrease compared to the 1,015 devices lost by HMRC in 2023, the number remains troubling given the sensitivity of the information the department handles.

Other departments showed a more worrying trend with The House of Commons reporting 100 devices lost or stolen during 2024, a significant increase from 65 devices the previous year.  Similarly, the Department for Education (DfE) saw device losses climb from 78 in 2023 to 107 in 2024.  The Department for Energy Security and Net Zero (DESNZ) also reported a rise, from 122 lost devices last year to 150 this year.  Meanwhile, the Department for Science, Innovation and Technology (DSIT) reported 113 missing devices.

“Although HMRC’s numbers suggest some improvement following internal audits, the continued high levels of device loss across government departments show that fundamental issues have not been resolved,” comments Jon Fielding, Managing Director, EMEA, Apricorn.  “Every lost or unaccounted device carries a risk for those individuals whose data could be exposed.”

The findings also reveal the extent of personal data breaches, with The House of Commons disclosing 49 incidents involving personal data during 2024, up from 41 reported the previous year.  Despite these breaches, the House of Commons has not had to disclose any such personal data breach to the Information Commissioner’s Office (ICO) in this period.  The figure highlights the continued vulnerability of sensitive personal information within Parliament and other institutions.

Worryingly, several departments that had previously been forthcoming with breach and incident reporting have declined to respond in full this year. The Ministry of Justice (MoJ) and the Department for Education (DfE), for example, both refused to disclose details on data breaches and reports made to the ICO, citing exemptions under Section 24(2) of the Freedom of Information Act (FOIA).  The exemption states that there is no duty to confirm or deny whether the requested information is held if doing so would prejudice national security.  Seven departments are still yet to respond within the deadline, including MoD Police Force, British Army, British Navy, Royal Air Force, Royal Marines, UK Health Security Agency, and the Home Office/HM Passport Office.

“This growing lack of transparency raises further questions about the true scale of data breaches occurring within government departments and the threat to data,” adds Fielding.  “Whilst all departments confirmed their devices are encrypted, they must be supported by strong back-up protocols, inventory control, and employee awareness programmes.  A holistic approach to data protection, including frequent audits, multiple back-up copies, and rigorous disaster recovery testing, is essential to minimize the risks posed by device loss and theft.”