As the Legal Aid Agency continues to recover from a data breach that compromised significant amounts of citizens’ personal data, a minister has claimed that the attack was made possible by fragile IT systems resulting from “long years of neglect”.
The LAA announced earlier this month that it had discovered a successful hack of its online services on 23 April. Having initially believed that the breach had only affected law firms, the agency subsequently discovered that attackers “had accessed a large amount of information relating to legal aid applicants”.
Sarah Sackman, the Ministry of Justice minister with responsibility for the administration of the legal aid regime, said that, while the attackers bear ultimate responsibility for the incident, their crimes were made possible by the weaknesses in the LAA’s tech set-up. Almost a year into its time in government, the Labour administration continues to support additional investment and other measures to address these issues, she claimed.
“This data breach is the result of heinous criminal activity but it was enabled by the fragility of the LAA’s IT systems as a result of the long years of neglect and mismanagement of the justice system under the last Conservative government,” the minister said.
“Upon taking office, I was shocked to see how fragile our legal aid systems were. They knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act. By contrast, since taking office, this government has prioritised work to reverse the damage of over a decade of under-investment. That includes the allocation of over £20m in extra funding this year to stabilise and transform the Legal Aid Agency digital services. This investment will make the system more robust and resilient in the face of similar cyberattacks in future.”
In answer to written parliamentary questions from Liberal Democrat Ben Maguire and Conservative Kieran Mullen, Sackman said that “to ensure the best chance of reaching as many potentially impacted individuals as possible, the Ministry of Justice published a notice as swiftly as possible” once the extent of the data breach had been determined on the morning of 19 May. The statement provides more information and links out to National Cyber Security Centre guidance.
This publication was followed last week by the launch of a dedicated helpline run by the Legal Aid Agency “for members of the public who are concerned they may have been affected by the LAA data breach”. Additional staff to support the service’s operation have been provided by another MoJ agency: HM Courts and Tribunals Service.
“The cyberattack is subject to an ongoing investigation, and we are working closely with the National Crime Agency and the National Cyber Security Centre,” Sackman added.
“Appropriate actions have been taken to mitigate the impact of the attack, including taking digital services offline. Contingency measures have been put in place to ensure those most in need of legal support and advice can continue to access the help they need during this time. This is an evolving situation, and we continue to update legal providers and users as it develops.
"To ensure that legal aid providers have the latest position with respect to legal aid applications and billing contingencies, and that affected parties can access the latest developments on the incident, the Legal Aid Agency has created a dedicated space with contingencies and useful resources on GOV.UK.”