Government departments' data security standards slip

Freedom of Information requests have found that at least 2,000 devices were reported lost or stolen across seven government departments throughout 2023; and that data of at least 10,200 customers was put at risk by HM Revenue and Customs over the same period.

The FoI request, submitted by Apricorn, highlight the number of disclosures made to the Information Commissioner’s Office only, and so the actual numbers of lost of stolen devices could be even higher – particularly concerning given the sensitivity of the vast amounts of data that HMRC is charged with safeguarding.

The Driver and Vehicle Licensing Authority meanwhile declared 278 breaches in 2023, marking a huge increase on previous years (19 breaches in 2021 and nine in 2022), implying that standards have plummeted in data security there.

Other departments disclosing data breaches included the House of Commons, which experienced 41 data breaches in total, and the House of Lords, which disclosed eight near misses (where there may be no evidence that data has been accessed inappropriately) losses and breaches. Of these eight incidents, one was recorded as a loss and one as a breach.

“Government departments will inevitably fall victim to data breaches due to the valuable data they handle, but it’s positive to see these breaches being rightfully declared to the ICO. However, the effects and repercussions for the government departments and their customers could be hugely detrimental. With so much at risk, a back-to-basics approach may well be required to establish how so many breaches are slipping the net,” said Jon Fielding, managing director, EMEA Apricorn.

Breaches aside, of the 15 departments questioned, nine declared the loss and theft of multiple organisational devices.

HMRC led the pack for all the wrong reasons again, having reported 1,015 lost and stolen devices, including 583 mobiles, 428 tablets and four USBs – up again from the prior year.

The Ministry of Justice misplaced 653, the Department for Energy Security and Net Zero 122, the Department for Education 78, the Home Office 153, the House of Commons 65, and the Department for Science, Innovation and Technology 54.

“The number of devices being lost or stolen within these departments is huge and whilst they are all encrypted, it’s important that they have robust back-up plans in place. This is particularly prudent in the throes of a ransomware attack which is highly plausible with such sensitive data at play. Ensuring they have at least three copies of data, on at least two different media, with at least one copy held offsite is a must. Equally, the recovery process must also be rigorously and regularly tested to ensure full data restoration can be achieved effectively,” added Fielding.

The FoI requests were submitted between February and April 2024.

Pictured: HMRC's offices in The International Quarter, London

Share Story:


Deborah Ritchie speaks to Chief Inspector Tracy Mortimer of the Specialist Operations Planning Unit in Greater Manchester Police's Civil Contingencies and Resilience Unit; Inspector Darren Spurgeon, AtHoc lead at Greater Manchester Police; and Chris Ullah, Solutions Expert at BlackBerry AtHoc, and himself a former Police Superintendent. For more information click here

Modelling and measuring transition and physical risks
CIR's editor, Deborah Ritchie speaks with Giorgio Baldasarri, global head of the Analytical Innovation & Development Group at S&P Global Market Intelligence; and James McMahon, CEO of The Climate Service, a S&P Global company. April 2023