Criminals accessed a “significant amount” of citizens' personal data including contact details, criminal histories and financial data in a cyberattack on the Legal Aid Agency last month, the Ministry of Justice has said.
In a joint statement this morning, the Legal Aid Agency and MoJ said it had first identified the hack on the LAA’s digital service on 23 April – but has since learned it was “more extensive” than previously thought.
The breach was initially believed to have affected law firms providing legal aid. But on 16 May, the agency discovered the group behind the attack “had accessed a large amount of information relating to legal aid applicants”.
Hackers are believed to have accessed and downloaded personal data from people who have applied for legal aid through the digital service in the last 15 years, which may include their addresses, dates of birth, national ID numbers and employment status. Financial data that was compromised in the breach may have included contribution amounts, debts and payments, the statement said
The agency has urged members of the public who have applied for legal aid since 2010 to “take steps to safeguard themselves”. This means being “alert” to suspicious activity such as unknown messages or phone calls and updating any passwords that may have been exposed.
The LAA has taken its digital service down in response to the update. Its chief executive, Jane Harbottle, said it had become apparent that "radical action" was needed to safeguard the service and its users.
"We have put in place the necessary contingency plans to ensure those most in need of legal support and advice can continue to access the help they need during this time," she said.
"I am incredibly grateful to legal aid providers for their patience and cooperation at a deeply challenging time."
The Law Society, which represents solicitors across the UK, blamed the LAA's "antiquated IT system" for the breach.
"The incident once again demonstrates the need for sustained investment to bring the LAA's antiquated IT system up to date and ensure the public have continued trust in the justice system," a Law Society spokesperson said.
The news comes shortly after the Public Accounts Committee warned that government departments have underestimated the severity of the threat faced from hostile states and criminals. In a report last week, PAC said there is now a “significant gap” between the magnitude of the cyber threat and government’s response
In a statement about the cyberattack, Harbottle said: "I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened.
Since the discovery of the attack, my team has been working around the clock with the National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency."
The LAA will publish further updates "shortly".
'Immediate action' taken
The MoJ and the agency said they had taken “immediate action” to improve security of the system in the days after the breach. They said they had informed all legal-aid providers that some of their details, including financial information, may have been compromised.
They have been working with the National Crime Agency and National Cyber Security Centre since then, as well as alerting the Information Commissioner's Office.
The LAA told law firms of the breach in a letter at the end of April. The letter, seen by Sky News, said it was “possible that financial information relating to legal-aid providers may have been accessed by a third party".
The agency said it was unable to say "what, if any, information was accessed", but said it was "possible that payment information may have been accessed".