EXCL: HMRC ‘monitoring exposure’ to Windows 7 as end-of-support looms
Department reveals it has almost 1,800 PCs still running on ageing operating system
With the end of support for Windows 7 little more than a month away, HM Revenue and Customs has revealed it still has almost 1,800 PCs running on the operating system – and no date set for upgrading.
Data released by the department to PublicTechnology under the Freedom of Information act reveals that HMRC owns 12,185 desktop computers and 29,282 laptops and tablets.
The department has close to 60,000 full-time equivalent staff, and its FOI response indicated that “the rest of our estate is made up of leased tablet devices”.
Of the computing devices owned by the tax agency, a total of 1,577 desktops and 204 laptops still run on Windows 7 – support for which ends on 14 January 2020.
This equates to 4.3% of the overall total of 42,167 machines.
When asked about its plans to migrate these machines to Windows 10, the latest version of Microsoft’s flagship operating system, the department revealed that it has no definitive date for doing so. But officials will be keeping an eye on the situation in new year.
Number of PCs owned by HMRC
Number that still run on Windows 7
14 January 2020
22 October 2009
Public release date of Windows 7
“We have no set upgrade deadline in place,” it said. “However, we are actively monitoring the additional exposure caused by the end of support on 14 January 2020.”
The 1,781 Windows 7 licences still in operation across in HMRC’s estate are, at least, the oldest in the department: none of its machines run on a version of Windows that predates the 10-year-old OS.
From 14 January, Microsoft will no longer provide free technical help with the product, nor any updates to help protect against new threats. Extended support is available until as late as 2023 – although this will require payments that will escalate over time.
Monthly data from StatCounter reveals that an estimated 17.72% of all PCs in the UK still run on Windows 7.
As of June 2019, this included 1.05 million machines run by the NHS – which represent the majority of the 1.37 million PCs in use across the health service.
PublicTechnology research into Windows 7 usage across the public sector – more of which will be published over the next two weeks – has also found that a number of government agencies are still reliant on the decade-old software.
An FOI response from the Office for National Statistics revealed that 5,089 of its 8,570 PCs run on Windows 7. The organisation has set 31 March 2020 as its upgrade deadline.
The Information Commissioner’s Office, meanwhile, plans to migrate away from Windows 7 by the end of this month. The regulator will be upgrading the vast majority of its machines: 927 out of a total of 1,037.
Others, including the Cabinet Office, the Crown Prosecution Service, and the Department for Business, Energy and Industrial Strategy, have already completed this process.
Between them, the three agencies have moved a total of 21,793 PCs onto Windows 10, FOI data revealed.
However, In response to FOI requests from PublicTechnology, the majority of central government bodies refused to not only disclose information on their use of operating systems, but even confirm or deny whether they held such information in first place.
Numerous public sector agencies – particularly central government bodies – cited FOI exemptions allowing non-disclosure in cases where an increased vulnerability to crime outweighs the public interest in transparency.
Several of these have gone through or are currently undergoing an internal review on our request, and a complaint lodged with the ICO about HM Land Registry’s repeated non-disclosure has been deemed “eligible for further consideration” and is currently being looked at by one of the regulator’s caseworkers.
HMRC also initially refused to confirm or deny whether it held the information requested. But this decision was overturned following an internal review.
Responding to PublicTechnology’s request for this review, it said: “Your email… challenges the view that knowing which operating systems are in use by a specific department makes that department susceptible to cyberattacks. Having reconsidered your original request, we agree that telling you about our operating systems would not in itself increase the risk to our systems. We have, therefore, looked at your request again and answered each question.”
Role comes with responsibility to create a framework of measures to protect people, data and infrastructure
Department spared £10m fine despite ‘serious breach of the law’
Braverman reveals six occasions on which guidelines were breached – but claims no information on law enforcement, security or cyber issues was sent
Regulator claims new systems come with inherent risk of ‘systemic bias, inaccuracy and even discrimination’