The Ministry of Defence recorded 72 incidents when “inadequately protected” electronic equipment, devices or paper documents were mislaid last year, it has revealed.
The number of times inadequately protected devices and documents were lost from secured government premises climbed from 27 in 2022-23 to 40 last year, the MoD’s annual report shows.
And devices and documents were lost from outside secured government premises on 32 occasions – up from nine the year before.
The figures show the number of physical devices and documents being misplaced has grown over the last few years – with a total of 49 incidents recorded in 2021-22 and 34 in 2020-21. In one widely reported breach in 2021, MoD documents were found in a “soggy heap” at a Kent bus stop, leading to the civil servant in question having their security clearance suspended.
All together, there were 569 protected personal data-related incidents last year that did not require reporting to the Information Commissioner’s Office in 2023-24, up from 550 the previous year.
The department did manage to reduce the number of unauthorised disclosures made by staff, which fell from 464 incidents in 2022-23 to 411 last year. But the number of “other” personal data-related incidents climbed from 49 to 85.
There was just one occurrence of inadequately protected paper documents being insecurely disposed of last year, according to the report – the same as the year before.
There was also only one incident that the MoD had to report to the ICO last year – in which emails containing personal data of MoD personnel were sent to an email address linked to another government. Thirty-three people were affected by the incident, in which names, email addresses, ranks and contact details were erroneously revealed.
Personal data breaches must be reported to the data watchdog if they are deemed likely to threaten people’s rights or freedoms.
Last year, the MoD was fined £350,000 over a data breach in 2021 that divulged the identities of hundreds of Afghan nationals who worked for the UK government in Afghanistan. The ICO said the breach could have resulted in a threat to life if it had fallen into the hands of the Taliban.
'Refreshed' training could mean more incidents reported
The increase in recorded data incidents may partly be down to the annual data-protection training for staff being “revised and refreshed” and efforts to promote data-protection awareness, as well as “ongoing technology developments”, the MoD said.
These measures followed a review of incident management in 2023, which examined and led to a change in the department’s method for reporting incidents.
“It is reasonable to infer that these measures have resulted in a higher number of incidents being identified, so that the department can learn and mitigate the likelihood of serious incidents occurring,” the report said.
The MoD’s cyber defence and risk directorate is working to “drive down cyber risk on a number of fronts”, according to the annual report.
Steps it has taken include updating and rewriting cybersecurity policies to make them clearer and more usable; implementation of a “secure by design” approach, which the report says reinforces project managers’ and system owners’ accountability for cybersecurity; and the rollout of a document labelling tool and “automated data-loss prevention activities” to prevent inappropriate sharing through emails.
“The MoD takes the security of its personnel, data and establishment seriously. Every data incident reported, including near misses, is investigated to determine the root cause and the MoD data protection officer’s team works with business areas to reduce the likelihood of reoccurrence,” the report said.
“As most of the incidents relate to human error, training and awareness activities are regularly undertaken to continuously improve staff knowledge and understanding of the data protection principles and the processes and procedures that must be followed to secure data.”
The report added that the MoD’s cyber defence and risk directorate is working to “drive down cyber risk on a number of fronts”.