UK government departments reveal rise in data breaches & lost devices
A significant increase in data breaches and device losses within key UK government departments has been brought to light following responses to annual Freedom of Information (FoI) requests. Apricorn, a global leader in the manufacture of hardware-encrypted USB drives, announced the findings, which show many thousands of customers potentially affected by breaches declared to the Information Commissioners Office (ICO).
The HM Revenue and Customs (HMRC) declared 18 breach reports impacting around 10,209 customers in 2023. The potential risk is heightened because of the sensitive nature of the data held by HMRC, which includes personally identifiable information (PII) as well as financial information related to tax, pensions, and benefits.
The Driver and Vehicle Licensing Authority (DVLA) has seen a worrying increase in breaches, disclosing a substantial 278 breaches in 2023, compared to 19 in 2021 and just nine in 2022. This substantial upturn suggests that there is an urgent need for improved data protection measures. Departures from the norm were also seen in the House of Commons and the House of Lords, who disclosed 41 and eight data breaches respectively. Of the latter, one was classified as a 'Loss' and one as a 'Breach'.
"Government departments will inevitably fall victim to data breaches due to the valuable data they handle, but it's positive to see these breaches being rightfully declared to the ICO. However, the effects and repercussions for the government departments and their customers could be hugely detrimental. With so much at risk, a back-to-basics approach may well be required to establish how so many breaches are slipping the net," commented Jon Fielding, Managing Director, EMEA at Apricorn.
Apart from data breaches, the FoI data also spotlighted the loss and theft of multiple organisational devices within nine out of the 15 departments questioned. The highest total was reported by HMRC, tallying 1,015 devices, which included mobiles, tablets, and USBs. An increase from previous years - 635 lost in 2022, 346 in 2020, and 375 in 2019. A significant number of the reported phone losses were, however, down to an audit of legacy phones which have now been replaced with newer models.
Other departments also reported lost devices - the Ministry of Justice misplaced 653, the Department for Energy Security and Net Zero - 122, the Department for Education - 78, Home Office - 153, House of Commons - 65, and the Department for Science, Innovation and Technology - 54. Despite the devices being encrypted, there are concerns around the robustness of the back-up plans in place.
"Ensuring they have at least three copies of data, on at least two different media, with at least one copy held offsite is a must. Equally, the recovery process must also be rigorously and regularly tested to ensure full data restoration can be achieved effectively," added Fielding.