The UK government lost an average of 39 devices a week in the 12 months between 1 June 2018 and 1 June 2019, highlighting the need for greater security practices.
This is according to a series of freedom of information (FoI) requests by global communications company Viasat, which found that 2,004 UK government mobile devices, including portable hard drives, smartphones and laptops, were lost or stolen over the 12-month period.
Of these, 1,474 were reported as lost, while 347 were stolen. It is not known what happened to the remaining 183 devices. Only 249 were recovered.
The findings cover the 27 government departments or public bodies that responded to the FoI requests, with 20 that did not respond. As a result, the true number may be higher.
Device loss highlights security concerns in UK government
Not only were so many devices lost, but at least 65 (3%) contained no encryption, meaning that anyone who obtained them would have been able to access their contents.
It is not clear if data contained on such devices was sensitive in nature, but it does highlight that the UK government needs to do more to ensure that its security is adequate.
“This data shows us the struggle the UK is currently facing when it comes to securing data. Information assurance alongside mobile device security must be a top priority for the UK government,” said Steve Beeching, managing director of Viasat UK.
“Despite the progress made on encrypting devices, the fact that unencrypted government devices are still being lost is concerning, suggesting more needs to be done to ensure data is protected at all times. For devices this means total encryption – going beyond password protection to secure data at a hardware level.
“While the necessity for security is clear in areas such as defence and security, all government departments run the risk of a damaging security breach. It only takes one device getting into the wrong hands to give malicious actors access to sensitive content, whether top-secret information or personal data.”
UK government security: The worst offending departments
While the findings raise serious security concerns across the UK government, some departments had a much higher level of device loss than others.
The Ministry of Defence was by far the worst, accounting for 38% of all devices lost or stolen over the 12-month period, followed by HM Revenue and Customs (HMRC) on 14% and the Department for Business, Energy and Industrial Strategy on 10%.
The ten worst government departments by number of devices lost or stolen
- Ministry of Defence (767)
- HMRC (288)
- Department for Business, Energy and Industrial Strategy (197)
- Foreign and Commonwealth Office (193)
- Home Office (164)
- Department for Education (162)
- Department for International Development (82)
- Department for Environment, Food and Rural Affairs (44)
- Department for Exiting the European Union (36)
- Department for Communities and Local Government (18)
Government ICO audit rates “worrying”
Viasat also included a request for the date of the last audit by the Information Commissioners Office (ICO), which handles data security breaches in the UK.
While not all departments responded to this FoI request, those that did provided some alarming results.
Eight departments have never been audited by the ICO, including two on the worst-offenders list for device losses, while many others have not been audited in years.
Of the five that did report being audited, the most recent – the Department for Business, Energy and Industrial Strategy – was in 2017. The worst was the Ministry of Defence, which has not been audited since 2010, a decade ago.
This is particularly notable, because governments are increasingly being targeted by cyberattacks – both by criminals and nation-state-backed threat actors – making effective data security more important than ever.
“This ICO audit data is worrying — with cyberattacks being carried out by nation state actors and other individuals on a near-daily basis, it is imperative the government strives to ensure no data is put at risk,” said Beeching.
“Individual departments cannot assume that their data will not be of interest to attackers – with the right strategy, any data can be a threat. UK Government departments must take a zero-tolerance approach to non-encrypted devices in order to safeguard data from falling into the wrong hands.”