Government Staff Lost More Than 600 Laptops, Phones And USBs In Last Four Years

Staff in five government departments have lost more than 600 laptops, mobile phones and USB sticks in the last four years.

The figures, obtained under the Freedom of Information Act, show that since 2014 the Home Office has recorded 327 devices missing, the Department for Transport 172 and the Treasury 117, while the offices of Wales and Scotland lost seven between them.

Other departments – including the Ministry of Defence, Department for Work and Pensions and Attorney General’s office – did not respond, citing exemptions under the act. 

The most commonly misplaced items were phones and Blackberries, which accounted for nearly 60%, followed by laptops at 28%.

Eloise Todd, CEO of campaign group Best For Britain, which obtained the figures, said: “It’s scandalous that such a large amount of equipment and data has gone missing.

“There seems to be a cavalier approach to the storage and protection of data.  While the government cannot answer simple questions on Brexit, it can lose such important equipment.

“At a time when national security is paramount, it’s vital that far more is done to encrypt sensitive data and staff are held to account.”

Best For Britain CEO Eloise Todd

A Treasury spokesperson said the department takes all security breaches “extremely seriously”.

“For losses of departmental IT equipment, a security breach is recorded against the member of staff responsible,” they added.

“Incidents of loss are included in monthly reports, which are sent to senior management for awareness and action. 

“This also applies in cases where theft has clearly been the result of negligence and under certain circumstances, disciplinary action might also be taken against the member of staff to whom the item has been issued, e.g, in cases of deliberate or persistent negligence.”

A Home Office spokesperson said all of the department’s devices are encrypted to prevent unauthorised access. 

“We treat the security of our information very seriously.  Any lost device must be reportedly immediately so further restrictions can be applied remotely,” they added.

Cyber security experts say implementing encryption as standard policy – and ensuring all staff abide by it – is crucial in preventing “catastrophic” data losses. 

Dick O’brien, threat researcher at software company Symantec, told HuffPost UK: “Basically, the loss of a device is never good. 

“The outcomes can range from embarrassment and reputational damage at best and the loss of confidential or even classified information at worst. 

“Just how bad the outcome is depends on the level of security of the device, for which we advise a three-strand approach, including limiting what is kept on a mobile device to the bare minimum on what a person needs to work on outside the office. 

Experts say all phones should have a passcode

“Secondly, we recommend full disk encryption, so you have to enter a password into the device before you can do anything at all, including accessing the hard drive, and passcodes for mobile phones.

“But organisations also need to educate their workers on the risks – we hear so many stories of things being left in taxis or pubs.”

Petter Nordwall, director product management at security software firm Sophos, said he had “lost count” of the number of mobile phones he had personally lost. 

“It’s very easily done – a phone can just fall out of your pocket,” he added.

“The issue is not the cost, but the data which sits on those devices.  With smartphones, and in the case of the government, that could include sensitive information, confidential data or even national secrets.

“This information may have been shared in email attachments, which people think very little of sending, and can be easily accessed on a phone without a passcode.”

Previous FOI requests have unearthed losses totally hundreds from the Ministry of Defence, and transparency campaigners say information for every government department should be published as a matter of course.

Nordwall agrees the best way to keep on top of secure information is to ensure all mobile devices – both laptops and phones – are encrypted. 

“Full disk encryption comes built in with most modern devices and organisations should make sure it is always turned on, and that all staff are complying with that policy,” he said.  

“Passcodes should always be in place on phones and they should not be something easy to work out, like ’1234′.

“There is no good reason not to do this.  It could be the difference between a Chernobyl-level disaster in terms of a data breach, or a Three Mile Island one.”