Data loss incidents suffered by the Home Office more than doubled in 2019-20 compared to the previous year, with a majority of incidents involving inadequately protected electronic equipment, devices, and documents that contained sensitive information.
According to data obtained by think tank Parliament Street from the Home Office’s Annual Report and Accounts 2019-20, 2404 out of the total of 4,204 data loss incidents suffered by the Home Office pertained to the improper storage of electronic equipment, devices, and documents.
In comparison, the Home Office suffered 1,895 data loss incidents in the 2018-19 period, less than half of what it suffered in the following year. In 2019-20, the Home Office also suffered 946 incidents involving the loss of electronic equipment or documents from secured premises, compared to just 146 such incidents in the previous financial year.
As many as 25 data loss incidents the Home Office suffered in 2019-20 were of a severe nature and had to be reported to the Information Commissioner's Office. Out of these 25 incidents, 11 occurred due to unauthorised disclosure of sensitive information, Parliament Street found.
In February this year, the Independent Chief Inspector of Borders and Immigration (ICIBI) said the Home Office faced around a hundred incidents of data loss or leakage to unauthorised third parties by misplacing the personal documents of EU residents when handling the EU settlement scheme.
The misplaced documents included passports, identification documents, and several other postages including sensitive information that were delivered to incorrect addresses. These incidents occurred around the same time when the Home Office committed an "administrative error" that resulted in the leakage of email addresses of hundreds of Windrush migrants to unauthorised parties.
Commenting on the large number of data loss incidents suffered by the Home Office, Tim Bandos, CISO at Digital Guardian, said cyber security programmes should ensure that emphasis is placed on the security of the data itself – and not just on networks, servers and applications. Shifting the focus towards identifying, controlling and securing sensitive data assets may not prevent a cyber breach, but it will minimise data loss – and hopefully the need to admit you should have known better.
“Closing the doors to private cloud hosted services is a proactive approach to preventing data loss. Prevention is better than reaction, so focusing on implementing approved and secure channels is the preferred approach.
“Organisations don’t have to make themselves ineffective, just provide a sufficient set of tools and technologies like DLP (data loss prevention) that they can control, rather than allowing people to use services completely outside of their control,” he added.