June 2024


Data of over 10,000 customers put at risk by HMRC breaches declared to ICO

Reporter: Stuart Littleford

More than 2,000 devices reported lost or stolen across seven government departments in 2023

Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives, has today announced findings from annual Freedom of Information (FoI) responses into data breaches and device loss within government departments. The results highlight an alarming number of customers potentially affected by breaches declared to the Information Commissioner’s Office (ICO) by the HM Revenue and Customs (HMRC) during 2023.

HMRC noted that the number of customers potentially affected by the 18 breach reports on notifiable incidents disclosed to the ICO totalled 10,209. This is concerning given the sensitivity of the data that HMRC houses which ranges from personally identifiable information (PII) to financial data concerning tax, benefits and pensions which could pose a significant risk if it should fall into the wrong hands.

Worryingly, the Driver and Vehicle Licensing Authority (DVLA), which declared 19 breaches in 2021 and just nine in 2022, disclosed a colossal 278 breaches in 2023. This marks a huge increase on previous years and implies that standards are slipping and that there’s work to be done in securing data.

Other departments disclosing data breaches included the House of Commons which experienced 41 data breaches in total and the House of Lords which disclosed eight Near Misses (where there may be no evidence that data has been accessed inappropriately) Losses and Breaches. Of these eight incidents, one was recorded as a Loss and one as a Breach.

“Government departments will inevitably fall victim to data breaches due to the valuable data they handle, but it’s positive to see these breaches being rightfully declared to the ICO. However, the effects and repercussions for the government departments and their customers could be hugely detrimental. With so much at risk, a back-to-basics approach may well be required to establish how so many breaches are slipping the net”, said Jon Fielding, Managing Director, EMEA Apricorn.

Breaches aside, of the 15 departments questioned, nine declared the loss and theft of multiple organisational devices. The HMRC again tipped the scale, having reported 1015 lost and stolen devices, including 583 mobiles, 428 tablets and four USBs. Somewhat more than the 635 that went amiss in 2022, 346 in 2020 and 375 in 2019. A significant number of the reported phone losses were, however, the result of an internal audit of legacy phones that had been replaced with newer models.

Amongst others, the Ministry of Justice misplaced 653, the Department for Energy Security and Net Zero – 122, the Department for Education (DfE) – 78, Home Office – 153, House of Commons – 65,  and Department for Science, Innovation and Technology – 54.

“The number of devices being lost or stolen within these departments is huge and whilst they are all encrypted, it’s important that they have robust back-up plans in place. This is particularly prudent in the throes of a ransomware attack which is highly plausible with such sensitive data at play. Ensuring they have at least three copies of data, on at least two different media, with at least one copy held offsite is a must. Equally, the recovery process must also be rigorously and regularly tested to ensure full data restoration can be achieved effectively,” added Fielding.

An HMRC spokesperson told GPSJ: “Security and privacy are at the heart of our work as we deal with tens of millions of customers every year.

“We take quick action to deactivate any lost or stolen devices and investigate all security incidents, taking steps to reduce future recurrences.” 


  • All HMRC standard issue devices are encrypted to HMG standards, and they are all deactivated remotely once they have been reported lost or stolen.  
  • We constantly monitor and review our security measures, strengthening them where required. 
  • Furthermore, HMRC staff are required to report all lost or stolen HMRC IT devices as security incidents and all security incidents are investigated. After the loss / theft has been reported, IT devices are sometimes subsequently located and recovered.

About the FoI Requests        

The research was conducted through Freedom of Information requests submitted through Whatdotheyknow.com. The requests, submitted between February and April 2024, along with the successful responses can be found here.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>




This site uses Akismet to reduce spam. Learn how your comment data is processed.