UK Gov data breaches exposed 10k customers’ data, FOI reveals – DIGIT.FYI

UK government departments have suffered hundreds of data breaches which could put the data of over 100,000 people at risk, new data from FOI requests has disclosed.

Revealed today, the FOI requests were compiled by Apricorn, an encrypted USB device manufacturer delving into the rates and nature of data breaches and device loss reported to the Information Commissioner’s Office during 2023.

HM Revenue and Customs (HMRC) was revealed to have declared 18 breaches – the sensetive data the department holds varies from personally identifiable information to sensitive financial details.

The release also showed a stark rise in incidents for the Driver and Vehicle Licensing Authority (DVLA), which escalated from 19 incidents to 278 from 2021 to 2023.

It was also revealed that the House of Commons had 41 reported breaches last year, and the House of Lords suffered eight incidents of breaches or losses.

Apart from the breaches, the FOI requests also revealed a plethora of device losses which could also jeopardise data. HMRC declared that over a thousand devices, including mobiles, tablets, and USBs, were lost or stolen, a marked increase from 2022. However, this figure could be inflated due to an audit of legacy phones which were replaced with newer models.

However, other departments also disclosed device losses – the Ministry of Justice lost 653 devices; the Department of Energy Security and Net Zero: 122; the Department for Education: 78; Home Office: 153; House of Commons: 65; and the Department for Science, Innovation and Technology: 54.

“Government departments will inevitably fall victim to data breaches due to the valuable data they handle, but it’s positive to see these breaches being rightfully declared to the ICO,” Jon Fielding, managing director, EMEA at Apricorn said.

“However, the effects and repercussions for the government departments and their customers could be hugely detrimental. With so much at risk, a back-to-basics approach may well be required to establish how so many breaches are slipping the net.”

Besides these worrying trends in data and device loss, the FOI requests also revealed a lack of policy concerning data breaches among many government departments.

Recommended reading

Of the 40 departments questioned, only one confirmed they had cyber insurance in place, where as 19 stated they did not, and 13 declined to disclosed, while the rest did not respond.

Six of those that did respond, including HMRC and the Cabinet Office, declared that they had no intention of seeking cyber insurance. This could be because cyber insurance is not factored into their budgets, though recovery after a data breach could prove to be more expensive.

“Though cyber insurance is not mandated, it’s certainly a worthwhile investment given the value of the data housed by these government departments. These same FoI requests unveiled councils within the UK have disclosed almost 1500 data breaches in 2022,” Fielding said.

“The cost of recovery and response can far outweigh the cover itself and put public data at risk of being further exposed. That said, insurance is not simply about the cost of a breach but helps organisations focus on shoring up cyber defences to ensure compliance regulations are met and adhered to. It also allows for organisations to identify and implement the tools and back-up processes that can limit the chance of attack and enable full recovery should a breach occur.”