The chief executive of the Legal Aid Agency has told MPs that the organisation is still working out the extent of a cyberattack that was uncovered back in the spring.
Jane Harbottle told members of parliament’s Public Accounts Committee that a team of analysts is still exploring how much of the compromised data can be pieced back together.
She told yesterday’s session that the work could take several more weeks to complete. However, she insisted that so far there was no evidence that data accessed by hackers had been published on the dark web.
In a joint statement with sponsor department the Ministry of Justice, the LAA announced on 19 May that it had taken down its digital services after a cyberattack that was was detected the previous month.
The statement said that the hack had first been identified on 23 April, but had subsequently been found to be “more extensive” than previously thought. The MoJ and LAA said that the perpetrators “had accessed a large amount of information relating to legal aid applicants”.
At yesterday’s PAC hearing, Harbottle said investigations had revealed that the first-known entry into the LAA system by the attacker – made via its Legal Aid portal – was on 31 December last year.
She said that when the full severity of the cyberattack was recognised on 16 May, the LAA took its systems down, instigated a range of contingency measures and obtained an injunction to stop the publication of details related to the breach.
PAC chair Sir Geoffrey Clifton-Brown asked how many people’s data had been affected.
Harbottle said the way the LAA stores data made it hard to give details of the numbers affected, however she said the agency was working with data watchdog the Information Commissioner’s Office on the issue.
“In terms of bank account details, we believe that any provider who’s had a payment in Legal Aid, the attacker’s had access to those details,” she said.
“In terms of the data itself, it’s very complicated. We’ve notified the ICO, we’ve been liaising with the ICO all the way through the attack.
“It’s very difficult at this moment in time to give you or to give to the ICO a number of unique records of people who have been impacted. That is because of the way our systems are structured and the way it stores the data. We have 48 different systems. We have 120 different components, all of which house various buckets of data. And the data appears as a number of transactions.”
Harbottle said there was no whole Legal Aid file, or a single file clearly linked to a particular individual.
“We have a team of analysts who are looking at this, trying to piece the data together to see if we can find unique identifiers to then map that back,” she said. “But at this time we’re just not able to do that because it’s very complicated. An awful lot of the data that was taken is coded as well, so it could be a provider putting a claim in for a particular bill, which uses a code for the type of case it was or a code for the type of payment that it was. The work is still ongoing, but at this time I can’t give you a definitive number of unique records.”
Harbottle said work on identifying the dataset was expected to take another “five-to-six weeks”.
In their original announcement, the LAA and MoJ suggested that data going back to 2010 could have been compromised. In July, the organisations acknowledged that data going back to 2007 may have been accessed
Clifton-Brown asked why 18-year old data was still on the system.
Harbottle said legacy IT was one reason, although another was the fact that Legal Aid records needed to be retained until people had paid off any debts.
She told MPs that the LAA had been aware that its IT system required strengthening and had been in the process of delivering upgrades when the cyberattack took place. She said the attack had been discovered because of some of that upgrade work.
“In 2022-23 our estate was assessed as the most complex and fragile in the MoJ and funding of £8.4m was secured to start to address the technical debt,” she said.
“The scale and complexity of the digital estate meant that investment wasn’t sufficient. We secured another £10.5m in 2024, and it was that £10.5m – or part of that £10.5m – that put the monitoring in place which allowed us to detect the attack when it happened and it also laid the groundwork for us replacing the most vulnerable part of the system – it was called the Legal Aid portal.”
She added: “We knew there was an issue; we got funding. Was it enough and was there enough time to stop the attack? No. But it certainly helped us deal with the attack and the aftereffects of the attack.”
Harbottle said the shutdown prompted by the cyberattack did not appear to have had any impact on backlogs at criminal or civil courts.
She acknowledged that there had been “slight wider disruption” for HM Courts and Tribunals Service because of a “help with fees” service it operates that relies on an automatic benefits-checking system run by LAA with Department for Work and Pensions data.
She said when LAA took its system down in May, HMCTS had to “activate their manual contingency”.