4 hours ago
12
The personal data of hundreds of thousands of legal aid applicants dating back to 2010, including criminal records and financial details, has been accessed and downloaded in a “significant” cyber-attack.
Officials admit that the data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.
Hackers have claimed that they accessed 2.1m pieces of data, a figure that has so far been unverified.
The breach will cause alarm among hundreds of thousands of applicants and legal aid lawyers.
A Ministry of Justice source put the breach down to the “neglect and mismanagement” of the previous government, saying vulnerabilities in the Legal Aid Agency’s (LAA) systems have been known for many years.
“This data breach was made possible by the long years of neglect and mismanagement of the justice system under the last government.
“They knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act,” the source said.
The MoJ said officials became aware of a cyber-attack on the LAA’s online digital services on 23 April, but realised on Friday that it was more extensive than originally thought.
The LAA’s online digital services, which are used by legal aid providers to log their work and get paid by the government, has been taken offline.
The MoJ said: “We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010.
“This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.
“We would urge all members of the public who have applied for legal aid in this time period to take steps to safeguard themselves. We would recommend you are alert for any suspicious activity such as unknown messages or phone calls and to be extra vigilant to update any potentially exposed passwords.
“If you are in doubt about anyone you are communicating with online or over the phone you should verify their identity independently before providing any information to them.”
The MoJ has been working with the National Crime Agency and the National Cyber Security Centre, and has informed the information commissioner.
The LAA’s chief executive, Jane Harbottle, apologised for the breach: “I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened.
“Since the discovery of the attack, my team has been working around the clock with the National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency.
“However, it has become clear that, to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down,” she said.
Harbottle said contingency plans are in place to make sure those in need of legal support and advice can continue to access it.
In 2023, the Law Society called on the government to invest in the LAA digital system, saying the system was “too fragile to cope”. As recently as March 2024, the Law Society pointed to the “antiquated IT systems” of the LAA as “evidence of the long-term neglect of our justice system”.
