Legal Aid Agency: Cybersecurity Incident

Statement

The following Statement was made in the House of Commons on Monday 19 May.

“With permission, I will make a Statement about an incident that has affected the Legal Aid Agency—an executive agency of the Ministry of Justice. The House will appreciate that while investigations are ongoing, there are limits to the amount of information that I can share publicly. However, the Government wish to be as transparent as possible with Parliament, and I will provide an update based on the information that we currently have.

On Wednesday 23 April, the Legal Aid Agency became aware of a cyberattack on its online digital services. These are the services through which legal aid providers log their work and receive payment from the Government. The Government of course took immediate action to bolster the security of the system, working closely with experts at the National Crime Agency, the Government Cyber Coordination Centre and the National Cyber Security Centre. We alerted the Information Commissioner and, importantly, informed all legal aid providers that some of their details had been compromised. We also took some Legal Aid Agency systems offline between 7 and 11 May to carry out work to contain the breach. Officials have been working around the clock to stabilise the system and support a complex investigation.

I can now confirm that the cyberattack was more extensive than originally thought. On Friday 16 May, we learned from the attackers behind it that they had accessed a large amount of information relating to legal aid applicants, and we assessed that threat to be credible. We believe they have accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service some time since 2010. That data may include applicants’ contact details, addresses, date of birth, national ID numbers, criminal history, employment status and financial data, such as contribution amounts, debts and payments. I should stress that this does not mean that every individual involved will be impacted in the same way, but we needed to act to safeguard the service and its users. In line with advice from the National Cyber Security Centre, the Legal Aid Agency took its online services down on Friday. I urge all members of the public who have applied for legal aid since 2010 to be on high alert for any suspicious activity. That includes messages and phone calls from unknown numbers. If anyone is in any doubt at all, please take steps to verify a person’s identity before providing any information.

I understand the gravity of these events. At this stage, we believe that the breach is contained to the Legal Aid Agency’s systems; there are no indications that other parts of the justice system have been impacted. The Government are committed to making every effort to ensure that the vital operational delivery of legal aid continues. We have put in place contingency plans to ensure that those most in need of legal support can continue to access the help that they need.

The House should be in no doubt that the Legal Aid Agency has suffered an unacceptable attack on its systems at the hands of criminals. Sadly, that attack is not altogether surprising; the vulnerabilities in the Legal Aid Agency systems have been known for many years. The risk of such an attack was steadily growing during the previous Government’s tenure, but they took no meaningful action to fix the systems, leaving them vulnerable to attack. The previous Government were repeatedly warned about the Legal Aid Agency systems being old, inflexible and unstable. In 2023, the Law Society called on the Government to urgently invest in the Legal Aid Agency digital system, saying that the system was ‘too fragile to cope’. In March 2024, the Law Society pointed to the agency’s ‘antiquated IT systems’ as

‘evidence of the long-term neglect of our justice system’.

In short, this data breach was made possible by the long years of neglect and mismanagement of the justice system under the last Conservative Government. They knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act. By contrast, since taking office, this Government have prioritised work to reverse the damage of over a decade of underinvestment. That includes the allocation of over £20 million in extra funding this year to stabilise and transform the Legal Aid Agency digital services. I am extremely grateful to legal aid providers across the country for their patience and co-operation, and to Ministry of Justice officials for their ongoing efforts to secure the system. The investigation is live, and the Government will do everything we can to seek justice.

Recent events have shown that every organisation, no matter how big or small, is at risk from this type of criminal behaviour. Sadly, the Government are not exempt. This incident has none the less demonstrated in stark terms that our legal aid digital systems are critically fragile and not fit for the 21st century. When I took up this ministerial role, I was, frankly, shocked to see just how fragile they were. This Government inherited a legal aid sector that has been neglected for far too long. We have invested in stabilising the current digital systems and have kick-started an ambitious reform programme to transform them. That means creating a modern, user-friendly and resilient service. The programme will also deliver a more flexible service, so that we can implement changes faster, and better respond to changing demands.

That transformation will take time. In the light of this incredibly serious incident, my right honourable friend the Lord Chancellor and I are exploring options to expedite the programme and put our systems on a more secure footing. The Government will not hesitate to act to protect our vital public services, because without legal aid our justice system would grind to a halt. This is an ongoing and sensitive issue, and our investigation and mitigating action continue. To ensure that Members are informed and updated, I will provide a written update in due course. I commend this Statement to the House”.

19:48:00

My Lords, while the Government Benches may criticise the role of successive Governments in preventing cyberattacks, we must not lose sight of where the true blame lies. The primary responsibility for this deeply troubling incident rests with the malicious individuals who orchestrated it. This was not merely a digital intrusion; it was a direct assault on some of the most vulnerable members of our society. The data accessed is, in many cases, highly sensitive—it includes medical and other personal records—and the scale and nature of the information compromised over a period, apparently, from 2010, may mark this as one of the more serious data breaches that the Government have suffered in recent years. Given the gravity of the situation, will the Minister confirm how many individuals have been affected? How are the Government supporting the individuals whose data has been exposed? Is he able to confirm the possible motive and identity of the attackers? Has there, for example, been any form of ransom demand from those who perpetrated this act? We welcome the involvement of the National Crime Agency and the National Cyber Security Centre. Their expertise will be essential. Clearly, it is imperative that those responsible for this breach are held to account and brought to justice. Significant concerns remain regarding the Government’s handling of this matter. I therefore seek clarity from the Minister on a number of issues. Why were Parliament and the public not informed immediately when the breach was discovered on 23 April? We now understand that the data access may include information dating back to 2010, as I said before, and that over 2 million records may have been compromised. The delay of almost a month before this was made public may have prevented individuals taking timely steps to protect themselves from potential risks. Was there a failure to properly appreciate the seriousness of this breach? Further, can the Minister update the House on the status of the operational systems that are vital for processing legal aid and payments to legal professionals? If these systems are not fully restored, how can we expect to return to full functionality? It may seem odd to talk about payment of legal aid to lawyers but, of course, those working in the fields of criminal law and family law, which are severely underfunded in many respects, will find the cash flow from the legal fund vital to their continuing activities. It is therefore important that that issue should also be addressed. We heard in the other place that the Government believe that the incident has been contained. How did the Government arrive at that conclusion, and could the Minister explain to the House what is meant by “contained”? Will he confirm whether the Ministry of Justice has conducted or intends to conduct a comprehensive risk assessment of its wider digital infrastructure? Will similar assessments be made in other departments to safeguard against future vulnerabilities? I also ask the Minister to ensure that Parliament receives regular and transparent updates as the investigation progresses. It is critical that we and members of the public should be informed clearly and promptly about the consequences of this breach and how it is being addressed. The breach itself represents a significant failure in the protection of our justice system’s digital infrastructure. That is liable to undermine public trust and raises serious concerns about data security and transparency, so I ask the Government to respond with urgency and openness to this issue. Finally, I will raise a question about the devolved Administrations. For example, Scotland has its own legal aid structure, as, I believe, Northern Ireland does also, but those structures in turn depend on data from the United Kingdom—for example, access to social security data. Have they been impacted by this event? If so, what liaison has there been with the devolved Administrations to try to minimise the difficulties that they may have been caused by this data breach? I am obliged.

My Lords, this cyberattack and its result have exposed the lamentable insecurity of the Legal Aid Agency data systems. The ramifications are serious. The personal information that goes into legal aid applications and is held by legal aid providers includes much highly confidential material, which can be used by criminals not just to embarrass but to defraud and, in some cases, harass applicants for legal aid. We are told that the attackers in this case accessed residential addresses, contact details, dates of birth, and employment and financial data—indeed, much of the material that identity checkers seek and criminals could profit from. As the noble and learned Lord, Lord Keen of Elie, said, it appears to have affected 2 million items of data and legal aid applications going back as far as 2010. In addition, as became clear in the House of Commons, that information would have included sensitive medical information. Indeed, that must be right, because many applicants for legal aid would include such information with their applications. Can the Minister say whether there are plans to establish a dedicated helpline or other support systems, and if so what support systems, for individuals who may seek advice or protection in the light of this attack? Of course, our first condemnation is for the callous criminality of the attackers, whose actions exposed so many vulnerable individuals to risk. These cyberattacks appear, according to the Minister in the other place, to have come from organised crime. It would be helpful for the Minister, so far as possible and without jeopardising security, to give an account to the House of what steps the Ministry of Justice takes routinely and has taken in the light of this case to protect the data of those seeking to access legal aid. This question is similar to one asked by the noble and learned Lord: will the MoJ carry out a full independent inquiry into this attack, and what can be done to restore public confidence in its future cybersecurity arrangements? We understand the need for the Legal Aid Agency’s systems to go offline in the short term, as they have, but can the Government say how long the shutdown of online services is likely to last and how far the legal aid system will be impacted through delays and in reduced ability to deal with its workload? We should not underestimate the degree to which the MoJ’s IT systems are antiquated, inefficient, insecure and, frankly, unfit for purpose. We on these Benches agree that that results from a neglect of the system over years under the preceding Administration. As the Statement rightly points out, the Law Society has been complaining for years about the outdatedness of our legal aid IT systems. The £20 million promised for updating the agency’s systems will help. However, regrettably, I worry that there is some complacency about the sentence in the Statement that reads: “At this stage, we believe that the breach is contained to the Legal Aid Agency’s systems; there are no indications that other parts of the justice system have been impacted”. Can the Minister say whether the Government will now institute a survey of current IT systems across the department to consider their security? Will the department also institute a system of regular cybersecurity audits for the future, to ensure robust defence of its digital systems and to prevent recurrence of this breach? More widely, this event should act as a wake-up call for government as a whole to investigate how far its IT systems can provide the public with a high standard of data security. We hope that the promised cybersecurity and resilience Bill will bring some improvement, but we will not keep citizens’ data secure without investing the necessary resources. The reality is that we are working with old and inefficient systems that, frankly, grow creakier and creakier, just as the ingenuity and criminality of the potential attackers becomes ever more sophisticated, not least as the value of personal data rises and the potential for its abuse becomes ever greater. The Statement rightly reminds us that every organisation is at risk from this kind of criminal behaviour and government is not exempt. As a vital part of the social compact, it is a responsibility of government to keep the personal data it holds on individuals secure. If government fails to live up to that responsibility, it rightly forfeits public trust and we concerned are to know, from the Government, how they intend to retain that trust.

I thank both the noble and learned Lord and the noble Lord for their questions. I will endeavour to answer them as fully as I can. I say at the outset that I share their sense of concern about this breach. It is undoubtedly very serious—one of the more serious ones that have happened to Governments in recent years. I agree, of course, with the point that the noble and learned Lord made, that the primary responsibility is with the criminals who themselves undertook this hacking of the LAF systems. I want to check and correct one point made by the noble and learned Lord, Lord Keen. He spoke about medical records. As far as we are aware, there are no medical records contained within this system. There is other information available, which is, of course, a great cause for concern, but there are no medical records that we are aware of. The noble and learned Lord asked when Ministers were first made aware of this breach. The departmental staff stood up an immediate operational response upon being made aware and ministerial colleagues and I have been updated throughout. There is a cross-departmental response under way. But it is fair to say that the seriousness of the breach became evident only some time after we were made aware of the initial breach. It was when the situation worsened that it was decided to put the information in the public domain and report the incident to Parliament. Noble Lords asked how many people have been affected. We have not put forward a number as such. However, they are right to say that we are talking about all the data going back to 2010. That is many thousands of people. The nature of the data is, indeed, personal and people need to take remedial action if they have had interactions with the Legal Aid Agency to make sure that their data is not compromised. So, if people try to contact them on numbers they do not recognise and so forth, they need to be suspicious and careful. Another central question was about what the Government are advising people to do if they think they may be victims of this theft of data. The primary port of contact will be the providers themselves—the lawyers and barristers who have been using the Legal Aid Agency. They will be in a better position to advise the people who may be victims. However, if we are made aware of individual people who are particularly vulnerable, the MoJ or the Legal Aid Agency will also endeavour to contact them directly. But the primary source of information will be from the providers themselves. The noble and learned Lord asked me to comment on the nature of the attack. I cannot do that because there is a criminal investigation under way. I will not comment or speculate on the motive either. Both noble Lords asked about the current operational system. The current system is offline. We hope to get it online as soon as possible, but I am not in a position to give any commitment on that front. I can say that there are systems in place to ensure that the providers themselves will get paid, so that they can continue to work, but it will be a reduced method of payment. I do not mean that the amount of money is less but there will be less systemisation within the payment, if I may put it like that. Nevertheless, the payments will be made in the immediate future. I reassure noble Lords that all the various government agencies have been informed about this. There is an ongoing risk assessment and there will be an update to Parliament when appropriate. I can also tell the noble and learned Lord that the devolved Administrations in Northern Ireland and Scotland have been informed and are well aware of this. Although, as he rightly observed, they have stand-alone systems, there is overlap between the two systems. So, although their own systems will not be affected by this, it may be that they will have more restricted access to data from the Legal Aid Agency, which covers England and Wales. The noble Lord, Lord Marks, asked about a full independent inquiry. I cannot make that commitment, but I can absolutely say that this is being taken extremely seriously across government. There has been a review of systems in other parts of government and, as far as we know, there are no similar hacking attacks in other parts of government, although of course one should not be complacent about these things. I am absolutely sure that these reviews of the other systems will be ongoing, just to check that no future hacks become apparent. I do not think it is fair for the noble Lord, Lord Marks, to say that there was a degree of complacency in the statement that we believe the breach is contained; that is an honestly held belief. The many professionals involved in containing this particular breach, but also looking across government, are very acutely aware of how systems need to be updated and kept under review, and there needs to be investment. The noble Lord mentioned the sum of money the Government are going to invest, but it is worth repeating the point made by my honourable friend Sarah Sackman that this breach came to light only because of the extra money we are currently putting into the system. It would not have come to light without that additional investment. But, of course, we want to go further, and we need to go further to make sure that the systems are updated as far as possible. I do not want to make the obvious political points about the legacy systems. I think we all understand the position we are in. Nevertheless, this is a serious matter, we are not at the end of the road yet and I absolutely undertake that we will keep Parliament informed as the situation develops.

20:09:00

Sitting suspended.