Apricorn, the pioneering manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB data storage devices, now announced the findings from its annual Freedom of Information (FoI) requests into device loss and data breaches across major government departments in 2024.
The figures indicate that device security issues remain endemic across the public sector, with several departments reporting an increase in lost and stolen devices compared to the previous year, despite attempts to address the issue.
Sensitivity of the information
HM Revenue and Customs (HMRC) alone accounted for 804 of these losses, including 499 mobile phones
Across the 17 departments questioned, more than 1,200 organizational devices were reported lost or stolen between January and December 2024.
HM Revenue and Customs (HMRC) alone accounted for 804 of these losses, including 499 mobile phones. While this represents a modest decrease compared to the 1,015 devices lost by HMRC in 2023, the number remains troubling given the sensitivity of the information the department handles.
Flagged legacy devices
A large number of the reported phone losses were the result of an internal audit that flagged legacy devices replaced with newer models, highlighting ongoing inventory management challenges.
Other departments showed a more worrying trend with The House of Commons reporting 100 devices lost or stolen during 2024, a significant increase from 65 devices the previous year. Similarly, the Department for Education (DfE) saw device losses climb from 78 in 2023 to 107 in 2024.
HMRC’s numbers
DESNZ also reported a rise, from 122 lost devices last year to 150 this year
The Department for Energy Security and Net Zero (DESNZ) also reported a rise, from 122 lost devices last year to 150 this year. Meanwhile, the Department for Science, Innovation and Technology (DSIT) reported 113 missing devices.
"Although HMRC’s numbers suggest some improvement following internal audits, the continued high levels of device loss across government departments show that fundamental issues have not been resolved," said Jon Fielding, Managing Director, EMEA, Apricorn. "Every lost or unaccounted device carries a risk for those individuals whose data could be exposed."
Extent of personal data breaches
The findings also reveal the extent of personal data breaches, with The House of Commons disclosing 49 incidents involving personal data during 2024, up from 41 reported the previous year.
Despite these breaches, the House of Commons has not had to disclose any such personal data breach to the Information Commissioner’s Office (ICO) in this period. The figure highlights the continued vulnerability of sensitive personal information within Parliament and other institutions.
Data breaches and reports
Seven departments are still yet to respond within the deadline, including MoD Police Force, British Army
Worryingly, several departments that had previously been forthcoming with breach and incident reporting have declined to respond in full this year.
The Ministry of Justice (MoJ) and the Department for Education (DfE), for example, both refused to disclose details on data breaches and reports made to the ICO, citing exemptions under Section 24(2) of the Freedom of Information Act (FOIA).
The exemption states that there is no duty to confirm or deny whether the requested information is held if doing so would prejudice national security. Seven departments are still yet to respond within the deadline, including MoD Police Force, British Army, British Navy, Royal Air Force, Royal Marines, UK Health Security Agency, and the Home Office/HM Passport Office.
Holistic approach to data protection
Fielding added, "This growing lack of transparency raises further questions about the true scale of data breaches occurring within government departments and the threat to data. While all departments confirmed their devices are encrypted, they must be supported by strong back-up protocols, inventory control, and employee awareness programmes."
"A holistic approach to data protection, including frequent audits, multiple back-up copies, and rigorous disaster recovery testing, is essential to minimize the risks posed by device loss and theft."
Stay ahead in the era of intelligent security systems powered by Artificial Intelligence with our special e-magazine on AI in security.
