More than 2,000 government-issued laptops, phones and tablets were lost or stolen across Whitehall departments over the past year, as reported by The Guardian. The estimated replacement cost? £1.3 million. The broader cost to national security is a lot harder to calculate.
Departments including the Ministry of Defence (MoD), the Department for Work and Pensions, and the Cabinet Office reported hundreds of missing devices in 2024 and early 2025. In just the first five months of this year, the MoD alone reported 103 laptops and 387 phones gone missing. The Home Office, Treasury, and Bank of England were among other departments affected.
Cybersecurity experts say the scale of the losses poses a systemic risk. While most devices are encrypted, that doesn’t rule out all potential compromise. If a phone is unlocked at the moment, it’s taken (a common scenario in street thefts) a bad actor could potentially access sensitive data or authentication tokens tied to government systems.
“These are surprisingly large numbers,” said Prof Alan Woodward of the University of Surrey. “Even if 1% belonged to system administrators, that’s enough to get in.”
Government departments insist protections are in place. The MoD and Bank of England both said they take data security seriously and have robust procedures to prevent and investigate losses. A government spokesperson said devices are encrypted to prevent unauthorised access, and every incident is investigated.
Still, critics say the rising number of incidents points to a broader problem. David Gee, CMO at Cellebrite, warned that the loss of devices from agencies handling sensitive national data, including defence and healthcare, is a major security concern.
The Department for Science, Innovation and Technology, which oversees the UK’s cybersecurity strategy, also reported 101 devices lost or stolen over the past year. With departments increasingly dependent on mobile and remote systems, experts say securing the endpoint, particularly in the hands of staff, is now mission critical.
Risk Beyond Financial Loss
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, says this represents a cybersecurity risk that extends beyond the financial loss. “While the government assures us about encryption, the sheer number of missing devices creates a significant attack surface for potential bad actors. Encryption is a great control to have in place, but it’s not a silver bullet. Unlocked devices or misconfigurations could still pose risks. This situation requires a thorough review of current security practices and their real-world effectiveness.”
We need a multi-pronged approach here, says Malik. “Raising awareness for staff on securing devices and the risks, implementing device tracking systems, and creating transparent, accountable processes for handling losses. Also, every lost device should be a learning opportunity to strengthen the cybersecurity culture of an organisation. It’s not just about ticking boxes; it’s about constantly evolving our defences to stay ahead of threats.”
Refurbished, Then Sold
“Stolen hardware is often “refurbished” and then sold as used devices,” adds Boris Cipot, Senior Sales Manager at Black Duck. “This is because modern encryption software on these devices makes it difficult to access the data stored on hard drives or other storage media. However, even the most advanced encryption is ineffective if the encryption key or user password is weak.”
Cipot says strong encryption software cannot protect data if the user password is easily guessable.
“There are several methods that can be used to break into a system, and the weaker the password, the easier it is to crack. Therefore, companies should not solely rely on the technical capabilities of protection software. They must also ensure that the passwords used to access and disable encryption are as strong as possible.”
For government-issued laptops and phones, Cipot says it is particularly recommended to implement MFA. “MFA can take the form of digital methods, such as biometric verification, or physical methods, such as a USB key or ID card. This additional layer of security significantly enhances the protection of sensitive data and reduces the risk of unauthorized access, furthering ensuring uncompromised trust in software.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.