10,000 Customers’ Data Exposed in UK Government Breaches

Written by

Data breaches and device losses within UK government departments have potentially put the information of over 10,000 customers at risk.

The findings come from Apricorn, a manufacturer of hardware-encrypted USB drives, based on a compilation of annual Freedom of Information (FOI) responses.

Disclosed today, the figures reveal alarming statistics regarding breaches reported to the Information Commissioner’s Office (ICO) by HM Revenue and Customs (HMRC) during 2023.

According to the company, HMRC’s declaration of 18 breach reports underscores the gravity of the situation. The sensitive data housed by the department ranges from personally identifiable information to financial details such as tax and benefits records. 

Of particular note is the significant increase in breaches reported by the Driver and Vehicle Licensing Authority (DVLA), which escalated from 19 incidents in 2021 to 278 in 2023. This surge suggests vulnerabilities within governmental security protocols requiring urgent attention and remediation.

Additionally, the House of Commons reported 41 breaches last year, while the House of Lords disclosed eight incidents, including losses and breaches.

 “Government departments will inevitably fall victim to data breaches due to the valuable data they handle, but it’s positive to see these breaches being rightfully declared to the ICO,” commented Jon Fielding, managing director of EMEA Apricorn.

“However, the effects and repercussions for the government departments and their customers could be hugely detrimental. With so much at risk, a back-to-basics approach may be required to establish how many breaches are slipping the net.”

Breaches aside, nine out of the 15 departments questioned declared the loss and theft of multiple organizational devices. The HMRC again tipped the scale, reporting 1015 lost and stolen devices, including 583 mobiles, 428 tablets and four USBs. This figure is somewhat more than the 635 that went missing in 2022, 346 in 2020 and 375 in 2019. However, a significant number of the reported phone losses were the result of an internal audit of legacy phones that had been replaced with newer models.

In particular, the Ministry of Justice misplaced 653 devices, the Department for Energy Security and Net Zero lost 122, the Department for Education (DfE) reported 78 losses, the Home Office experienced 153, the House of Commons had 65, and the Department for Science, Innovation and Technology recorded 54 losses. 

“The number of devices being lost or stolen within these departments is huge, and whilst they are all encrypted, it’s important that they have robust backup plans in place,” Fielding added. “This is particularly prudent in the throes of a ransomware attack, which is highly plausible with such sensitive data at play.”

Read more on data protection: How to Comply with Ever-Changing Data Protection Regulations

For more details about the data compiled by Apricorn, the original FOI requests are available here.

What’s hot on Infosecurity Magazine?