Over 2000 mobile devices used by UK government employees have gone missing in the space of a year, with a significant number unencrypted, according to new Freedom of Information (FOI) data.
Requests were sent by global communications company Viasat to 47 government departments, with full or partial replies received back from 27 of them.
During the period June 1 2018 to June 1 2019, a total of 2004 devices were reported lost or stolen, which amounts to eight per working day or 39 per week, according to the firm.
Even more concerning is the fact that the vast majority (767) were lost by the Ministry of Defence (MoD), followed by HMRC (288), the Department for Business, Energy and Industrial Strategy (197) and the Foreign Office (193).
On the plus side, the majority (1824) of the missing smartphones, laptops, PDAs, external storage devices and tablets were reported as encrypted. However, scores (65) were not, and the status of a further 115 is unknown.
Viasat’s UK managing director, Steve Beeching, argued that mobile security must be a top priority for government.
“Despite the progress made on encrypting devices, the fact that unencrypted government devices are still being lost is concerning, suggesting more needs to be done to ensure data is protected at all times. For devices this means total encryption – going beyond password protection to secure data at a hardware level,” he said.
“While the necessity for security is clear in areas such as defense and security, all government departments run the risk of a damaging security breach. It only takes one device getting into the wrong hands to give malicious actors access to sensitive content, whether top-secret information or personal data.”
In fact, the loss of personal data puts missing devices like these in the realm of GDPR regulation.
Viasat asked the government departments when they had last been audited by privacy watchdog the Information Commissioner’s Office (ICO), which is good practice for public sector organizations. In total, eight of those that replied said they had never been audited, while some had not been checked for years: the MoD’s last audit was in 2010, for example.
Departments can proactively ask for an audit free of charge whenever they like, to ensure they're meeting commitments to data protection laws.
“Individual departments cannot assume that their data will not be of interest to attackers – with the right strategy, any data can be a threat,” continued Beeching. “UK government departments must take a zero-tolerance approach to non-encrypted devices in order to safeguard data from falling into the wrong hands.”