Over 1,200 government devices lost or stolen across 2024

According to findings from Apricorn's annual Freedom of Information requests, more than 1,200 devices were reported lost or stolen across major UK government departments in 2024.

The data, collected from 17 departments, shows persistent issues with device security across the public sector, despite internal efforts to resolve the problem. The statistics reveal a number of departments have seen an increase in reported lost or stolen devices compared to last year.

HM Revenue and Customs (HMRC) reported the largest share of device losses, with 804 devices missing in 2024, including 499 mobile phones. While HMRC's numbers show a decrease from the 1,015 devices reported lost in 2023, the loss remains notable due to the department's role in handling sensitive information.

Internal audits at HMRC identified that a segment of the reported phone losses arose from legacy devices that had been replaced with newer models, underlining inventory management issues that persist within the department.

The House of Commons, however, reported a rise in device losses, with 100 reported lost or stolen in 2024 compared to 65 the previous year. The Department for Education (DfE) also observed an increase, with 107 device losses reported in 2024 versus 78 in 2023. The Department for Energy Security and Net Zero (DESNZ) saw its lost device count grow from 122 to 150 year-on-year. The Department for Science, Innovation and Technology (DSIT) reported 113 missing devices.

"Although HMRC's numbers suggest some improvement following internal audits, the continued high levels of device loss across government departments show that fundamental issues have not been resolved. Every lost or unaccounted device carries a risk for those individuals whose data could be exposed," Jon Fielding, Managing Director, EMEA at Apricorn, said.

The findings also shed light on incidents involving personal data breaches. The House of Commons reported 49 incidents involving personal data in 2024, up from 41 last year. Despite these breaches, there has been no need for the House of Commons to report any such personal data breach to the Information Commissioner's Office (ICO) during this period. The continued occurrence of these incidents highlights the vulnerability of personal information held by Parliament and other agencies.

Some departments that previously supplied breach details have withheld their responses this year. The Ministry of Justice (MoJ) and Department for Education (DfE) declined to disclose information on data breaches or reports to the ICO, citing exemptions under Section 24(2) of the Freedom of Information Act, which allows withholding such information if disclosure could prejudice national security.

Seven departments missed the deadline to respond to the FoI requests. These include the Ministry of Defence Police Force, British Army, British Navy, Royal Air Force, Royal Marines, UK Health Security Agency, and the Home Office/HM Passport Office.

"This growing lack of transparency raises further questions about the true scale of data breaches occurring within government departments and the threat to data. Whilst all departments confirmed their devices are encrypted, they must be supported by strong back-up protocols, inventory control, and employee awareness programmes. A holistic approach to data protection, including frequent audits, multiple back-up copies, and rigorous disaster recovery testing, is essential to minimise the risks posed by device loss and theft," Fielding noted.

The Freedom of Information requests underpinning these findings were initiated in early 2025, and Apricorn has reported that department responses form the basis of its published statistics for 2024.