Sarah Sackman The Minister of State, Ministry of Justice
With permission, I will make a statement about an incident that has affected the Legal Aid Agency—an executive agency of the Ministry of Justice. The House will appreciate that while investigations are ongoing, there are limits to the amount of information that I can share publicly. However, the Government wish to be as transparent as possible with Parliament, and I will provide an update based on the information that we currently have.
On Wednesday 23 April, the Legal Aid Agency became aware of a cyber-attack on its online digital services. These are the services through which legal aid providers log their work and receive payment from the Government. The Government of course took immediate action to bolster the security of the system, working closely with experts at the National Crime Agency, the Government Cyber Co-ordination Centre and the National Cyber Security Centre. We alerted the Information Commissioner and, importantly, informed all legal aid providers that some of their details had been compromised. We also took some Legal Aid Agency systems offline between 7 and 11 May to carry out work to contain the breach. Officials have been working around the clock to stabilise the system and support a complex investigation.
I can now confirm that the cyber-attack was more extensive than originally thought. On Friday 16 May, we learned from the attackers behind it that they had accessed a large amount of information relating to legal aid applicants, and we assessed that threat to be credible. We believe they have accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service some time since 2010. That data may include applicants’ contact details, addresses, date of birth, national ID numbers, criminal history, employment status and financial data, such as contribution amounts, debts and payments. I should stress that this does not mean that every individual involved will be impacted in the same way, but we needed to act to safeguard the service and its users. In line with advice from the National Cyber Security Centre, the Legal Aid Agency took its online services down on Friday. I urge all members of the public who have applied for legal aid since 2010 to be on high alert for any suspicious activity. That includes messages and phone calls from unknown numbers. If anyone is in any doubt at all, please take steps to verify a person’s identity before providing any information.
I understand the gravity of these events. At this stage, we believe that the breach is contained to the Legal Aid Agency’s systems; there are no indications that other parts of the justice system have been impacted. The Government are committed to making every effort to ensure that the vital operational delivery of legal aid continues. We have put in place contingency plans to ensure that those most in need of legal support can continue to access the help that they need.
The House should be in no doubt that the Legal Aid Agency has suffered an unacceptable attack on its systems at the hands of criminals. Sadly, that attack is not altogether surprising; the vulnerabilities in the Legal Aid Agency systems have been known for many years. The risk of such an attack was steadily growing during through the previous Government’s tenure, but they took no meaningful action to fix the systems, leaving them vulnerable to attack. The previous Government were repeatedly warned about the Legal Aid Agency systems being old, inflexible and unstable. In 2023, the Law Society called on the Government to urgently invest in the Legal Aid Agency digital system, saying that the system was “too fragile to cope.” In March 2024, the Law Society pointed to the agency’s “antiquated IT systems” as
“evidence of the long-term neglect of our justice system”.
In short, this data breach was made possible by the long years of neglect and mismanagement of the justice system under the last Conservative Government. They knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act. By contrast, since taking office, this Government have prioritised work to reverse the damage of over a decade of under-investment. That includes the allocation of over £20 million in extra funding this year to stabilise and transform the Legal Aid Agency digital services. I am extremely grateful to legal aid providers across the country for their patience and co-operation, and to Ministry of Justice officials for their ongoing efforts to secure the system. The investigation is live, and the Government will do everything we can to seek justice.
Recent events have shown that every organisation, no matter how big or small, is at risk from this type of criminal behaviour. Sadly, the Government are not exempt. This incident has none the less demonstrated in stark terms that our legal aid digital systems are critically fragile and not fit for the 21st century. When I took up this ministerial role, I was frankly shocked to see just how fragile they were. This Government inherited a legal aid sector that has been neglected for far too long. We have invested in stabilising the current digital systems and have kick-started an ambitious reform programme to transform them. That means creating a modern, user-friendly and resilient service. The programme will also deliver a more flexible service, so that we can implement changes faster, and better respond to changing demands.
That transformation will take time. In the light of this incredibly serious incident, my right hon. Friend the Lord Chancellor and I are exploring options to expedite the programme and put our systems on a more secure footing. The Government will not hesitate to act to protect our vital public services, because without legal aid, our justice system would grind to a halt. This is an ongoing and sensitive issue, and our investigation and mitigating action continue. To ensure that Members are informed and updated, I will provide a written update in due course. I commend this statement to the House.
John Whittingdale Conservative, Maldon
The Minister will be aware of the rising number of cyber-attacks by criminals and by hostile state actors. May I also express my disappointment that she has chosen to try to make party political points on this issue? Instead, can she say whether those responsible are UK-based, such as the DragonForce group or the Scattered Spider group who claim responsibility for the attacks on the Co-op and Marks & Spencer? Can she also say whether checks are being made across Government to identify any security breaches that may not yet have been acted on by those who are responsible?
Sarah Sackman The Minister of State, Ministry of Justice
I will not disclose the name of the perpetrators of this malign attack. I do not think it would be responsible for me to do so while the investigation is live and while they are being pursued, not least through legal avenues. I am not able to share that information at the moment, but when I can share it, I will of course update the House.
