His Majesty’s Revenue and Customs (HMRC) has reported the loss or theft of nearly 3,000 electronic devices over the past three years, fuelling growing concerns over government cybersecurity as cyberattacks and phishing scams surge across the UK.
Data obtained through a Freedom of Information (FOI) request and analysed by the Parliament Street think tank reveals that a total of 2,897 devices—including mobile phones, tablets, and laptops—were lost or stolen from the tax authority since 2022. The combined value of the missing hardware exceeds £1.8 million.
This revelation comes just weeks after a sophisticated HMRC phishing attack saw £47 million stolen from more than 100,000 individuals, highlighting what experts describe as the increasing vulnerability of UK government systems.
Of the total figure, 393 devices were confirmed as stolen, with an estimated value of £295,818. A further 2,504 items were recorded as lost—including 2,181 mobile phones, 866 of which were reported missing in the past year alone.
An HMRC spokesperson said that all employees are required to report any missing equipment as a security incident, triggering internal investigations. The tax authority added that standard-issue devices are encrypted to HMG (Her Majesty’s Government) security standards and are remotely deactivated once reported missing.
The high number of missing phones, HMRC said, was partly due to audits identifying legacy devices that had been replaced but were not properly decommissioned. The figures also include items lost in the post.
Despite these explanations, cybersecurity professionals say the loss of such a large number of potentially sensitive devices is deeply concerning.
“Stolen devices are a major national security risk for government departments,” said Andy Ward, SVP International at Absolute Security. “They hold vast quantities of sensitive data—from home addresses and VAT filings to details of ongoing tax investigations. If that data is compromised, individuals and businesses could face devastating financial losses, fraud, and identity theft.”
He added: “Organisations must be able to immediately freeze or shut off lost devices to prevent wider network breaches. The weakest link—whether it’s a misplaced phone or an undertrained employee—can open the door to catastrophic attacks.”
The HMRC figures sit within a wider trend of public sector data security lapses. Over the same three-year period, the Ministry of Defence recorded 1,166 lost or stolen devices, while a further 688 devices went missing from bodies including the Bank of England, the Department for Science, Innovation and Technology, the Competition and Markets Authority, and the Department of Health and Social Care.
Arakadiy Ukolov, CEO and Co-Founder of Ulla Technology, warned that the risks go beyond hardware.
“Whether you’re in financial services, government, or HR, strong data protection must be non-negotiable,” he said. “Every organisation needs a robust governance model supported by privacy-first digital infrastructure. Combine that with staff training and awareness—especially around modern risks like AI platform data leakage—and you significantly reduce the likelihood of a breach.”
As government departments digitise more services and store increasingly sensitive personal and financial data, experts are calling for better internal oversight, stricter reporting protocols, and investments in next-generation cybersecurity systems.
For businesses and taxpayers alike, the message is clear: when it comes to safeguarding data, vigilance is no longer optional.
Read more:
Nearly 3,000 HMRC laptops and phones lost or stolen, raising cybersecurity fears