Dozens of personal electronic devices have gone missing while in the possession of MPs and Lords this year, newly released data shows.
The list includes 27 items of parliamentary-supplied equipment that were lost or stolen while in the keep of members in the House of Commons.
The IT equipment, which has gone missing amid heightened concerns over the handling of data at Westminster, included iPads, phones and laptops.
Cyber security experts said that the loss of devices potentially containing ‘vast amounts of sensitive data’ gives a ‘window of opportunity’ to hostile actors that could include foreign states and organised crime gangs.
In only two instances were the personal devices marked as found, with no information given in all the other cases. In the Lords, six items went missing, including two laptops, two iPads and a desktop.
Two of the disappearances were marked ‘lost’ and the remaining three ‘lost/stolen’ in the data provided in responses to requests by Metro.co.uk under the Freedom of Information Act.
Marijus Briedis, a cybersecurity expert at NordVPN, said: ‘It’s really important to protect your login information but people forget that it’s just as crucial not to let hardware fall into the wrong hands.
‘Taking physical possession of a lost or stolen device makes it even easier for the most sophisticated criminals to hack in and steal information.
‘For most people, this may not be much of a worry because the level of know-how required means this isn’t a common problem and the prize has to be worth the hacker’s efforts.
‘However, if you’re an individual with valuable documents, data or commercially sensitive information on your devices then you are naturally a prime target for this brand of organised crime.
‘Captains of industry and senior politicians have long been frequent targets of state-sponsored and commercial espionage in the past.
‘The more valuable the data on your phones and hard drives, the higher the level of encryption you will need to protect it. Many in government will have expensive software solutions on their devices designed to defeat the sort of spyware only governments can afford, such as an Israeli system known as Pegasus, but lose the device altogether and there’s a window of opportunity where even that won’t necessarily save you.’
In the Commons, nine of the losses were of iPads with cellular data.
In one of the incidents, a laptop and iPad cellular were listed as having gone missing while in the possession of an MP.
The names of the parliamentarians who reported the losses were withheld under a data protection exemption stipulated in the Act.
The partial and heavily redacted data for the year to November has been released amid concern about cyber-security among government ministers, especially in light of threats from hostile states.
Oliver Pinson-Roxburgh, CEO of cyber-security firm Defense.com, said: ‘This story is a great example of why security only works if everyone involved plays their part. One weak link can overcome the highest-grade tech solutions, significant funding, and well thought out plans.
‘Parliament clearly needs to rethink its approach to security.
‘It’s imperative that parliament constructs a security environment that both empowers and secures its workforce.
‘Even if devices are up to date with the latest security patches, new exploits and vulnerabilities are being discovered weekly, which means you can never assume that stolen or lost devices are safe.
‘If bad actors have physical possession, there is always the possibility that they can break a device’s security and gain access to important documents, platforms, and information.’
Mr Pinson-Roxburgh warned that the need for vigilance was heightened when sensitive information of public concern weighed in the balance.
‘It is essential that those in positions of power and responsibility that have access to vast amounts of sensitive data, take their obligations of keeping that data secure seriously.’ he said. ‘This is especially true of government officials with access to the public’s personal data.
‘Security is not a theoretical or administrative issue, it’s very real and failure to recognise that can have tremendous real-world consequences.
‘While there are tools that can secure lost devices, this is not an excuse for failing to act on best security practices, and no methods are infallible.
‘Not every lost device will land in the hands of foreign agents or organised cybercrime gangs, but from an infosecurity standpoint, you can’t assume that it won’t, especially when dealing with high-level government positions.’
In October, Liz Truss’s phone was reported to have been hacked by Russian agents while she was foreign secretary. The breach was said to have taken place during the summer Conservative leadership campaign but to have been suppressed from public disclosure until afterwards.
Agents suspected of working for Russia had been responsible for the alleged hacking, according to the Mail on Sunday.
The government has refused to comment on the exact case but has said it has ‘robust systems in place to protect against cyber threats’.
In the same month, Suella Braverman admitted to sending government emails to her personal account. She was forced to leave office by Ms Truss, the then prime minister, after the matter came to light, before being reappointed by Rishi Sunak six days later.
In a letter to the Commons Home Affairs Select Committee chairwoman Dame Diana Johnson, Ms Braverman admitted sending official documents from her government to personal email address on six occasions.
The items may have been stolen from anywhere on the parliamentary estate or elsewhere and it is the responsibility of individuals to report incidents to the Parliamentary Digital Service (PDS), the responses state.
In its answer, the Commons said: ‘It is not possible to record how reliably this is done, especially for smaller or less valuable items.’
In 2021, hardware in the keep of parliamentarians went missing from taxis, airports and streets, with one iPad with cellular being left on a plane.
The Commons and Lords both said that this year they were not able to extract the same or a greater level of information because the PDS has changed the way it stores the data.
A UK parliament spokesperson said: ‘We provide advice to users – including members of both Houses – to make them aware of the risks and how to manage their equipment safety, however we do not comment on specific details of our cyber or physical security controls, policies or incidents.’
Do you have a story you would like to share? Contact [email protected]
For more stories like this, check our news page.
Get your need-to-know
latest news, feel-good stories, analysis and more