UK government loses hundreds of IT devices

UK government departments are losing hundreds of devices each year according to Freedom of Information (FoI) requests submitted by encrypted drive manufacturer Apricorn.

The Home Office declared 469 lost and stolen devices between September 2021 and September 2022, with the Ministry of Defence not far behind with 467 mobiles, tablets and USB devices unaccounted for.

HM Revenue and Customs (HMRC) declared 635 lost and stolen devices including 387 mobiles, 244 tablets and four USB drives -- a 45 percent percent increase on the numbers shared for the same period in 2020-2021 (346) and 40 percent more than 2019-2020 (375).

The Department of Business, Energy and Industrial Strategy admits to 204 lost and stolen devices -- almost double the 107 declared in the previous year. The Department for Education confirmed the loss and theft of 356 devices, including 296 USB drives. The Prime Minister's Office also reported 203 misplaced devices.

"We have asked these same questions via these FoI requests for the last three years and whilst it's not surprising to see devices unaccounted for, we would hope to see the numbers declining as cybersecurity becomes more established," says Jon Fielding, managing director, EMEA at Apricorn. "Robust, regularly reviewed and tested policy and practice, with appropriate technology choices and implementation, supported by education and comprehensive backup and recovery strategy, is a must for optimum protection."

The Ministry of Justice declined to provide answers to the FoI request but its own annual report covering April 2021-March 2022, reveals a huge number of breaches declared to the ICO. Most disturbing being the disclosure of a COVID status spreadsheet of 1,800 staff and offenders sent by email to all staff within a prison.

The Foreign, Commonwealth and Development Office also declined to respond to requests, but its annual report for 2021-22 shows 117 personal data incidents.

Despite the worrying number of devices going missing in action, when questioned on the security of these devices, all of the government departments asked confirmed the missing devices were all encrypted as standard.

Fielding adds, "The good news is that encryption is obviously recognized, and in the case of government departments, mandated, as a critical component of device security. Hardware encrypted storage devices should be provided as standard to ensure that any sensitive data held on them should always be unintelligible if they happen to be misplaced and fall into the wrong hands. Additionally, encryption should be combined with the automation and enforcement of security policies through technology wherever possible."

You can see responses to all of the FoI requests here.

Image credit: PromesaStudio/depositphotos.com