The UK’s leading Russell Group universities have had 670 laptops, tablets, and phones lost or stolen between over the past three years, raising urgent concerns about data security across the higher education sector.
The data, obtained through an FOI request and analysed by Parliament Street Think Tank, highlights lost and stolen devices over eleven UK Russel Group University, including UCL, University of Cambridge, University of Manchester, and Liverpool University.
Across all institutions, 395 laptops, 75 tablets, and 200 phones were reported lost or stolen between June 2022 and May 2025, with the total replacement bill to universities estimated at more than £300,000. Beyond the financial impact, this poses a significant data security risk for universities
Each lost or stolen device represents a potential backdoor into university systems, significantly increasing the risk of sensitive student, staff, and research data being exposed or exploited in cyberattacks. Even with encryption, cached login credentials or saved sessions on email and cloud services can be exploited by cybercriminals, heightening the risk of data breaches, intellectual property theft, and targeted phishing attacks.
The findings come at a time when universities are already prime targets for cyberattacks, with 73% of UK educational institutions experiencing at least one cyberattack in the past five years. Ransomware groups are increasingly targeting the sector to steal and exploit sensitive research data. Analysts warn that the physical loss of devices further compounds these digital risks, widening the attack surface for malicious actors.
Sawan Joshi, Group Director of Information Security at FDM Group, commented: “Universities are increasingly attractive targets for cybercriminals because of the vast amounts of sensitive personal and research data they hold. The loss or theft of hundreds of devices across the Russell Group highlights just how exposed the sector can be. To build true cyber resilience, university bodies must prioritise continuous training and investment into cyber talent. Technology is vital, but it’s the skills and preparedness of people that ultimately determine how effectively threats are mitigated, and sensitive data is safeguarded.”
Andy Ward, SVP International at Absolute Security commented: “Our research shows that 62% of organisations see remote devices as the single biggest weakness in their cyber resilience posture, and 60% admit remote working has complicated their ability to stay secure. The loss or theft of hundreds of laptops, tablets, and phones across universities highlights this reality, with Russell Group universities themselves victims of crime. Every misplaced device is more than just a financial loss, it represents a potential gateway for attackers to access sensitive student, staff, and research data. At any given time, any organisation can fall victim to such threats, which is why strengthening endpoint security and cyber resilience must remain a top priority.”
