Asked by: Marie Rimmer (Labour - St Helens South and Whiston)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, with reference to the the Legal Advice Agency data breach in April 2025, whether his Department and the LAA had a prepared disaster recovery plan prior to the breach.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
We take the security of people’s personal data extremely seriously.
Firstly, to ensure transparency about the cyber- attack and that we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice shortly after it became aware of the criminal cyber-attack at 08:15 on 19 May on GOV.UK
The notice provided information about the cyber-attack and directed concerned members of the public to the National Cyber Security Centre’s webpage, which contained information on how to protect against the impact of a data breach.
The Legal Aid Agency (LAA) also set up dedicated Customer Services support via a telephone line and email for providers and clients who had concerns regarding the data breach. We did not write to all clients, to all the addresses that we had, because some of those addresses would no longer be current, and that would potentially create another data breach in itself.
The published statement referred to above sets out information about who may have been impacted and the nature of the information which may have been accessed. As far as we are aware, no data has been shared or put out in the public domain. An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
In the interests of security, we cannot confirm the method by which unauthorised access was gained to the LAA’s online digital systems or details about specific steps taken or measures implemented to protect LAA systems against any future cyber-attacks.
Security of the new systems has been paramount as we have rebuilt the LAA’s digital systems following the attack. The compromised digital portal has been replaced by a new, secure single sign-in tool for LAA online services (SiLAS). SiLAS has been designed and built in line with UK government and industry best practice for secure development. Security has been included from the ground up, including multi factor authentication, with independent testing activities to validate that the appropriate security controls are in place.
A dedicated team will monitor and update the service to ensure it evolves to remain resilient to emerging threats and is supported by a security operations capability. While no system can be entirely risk free, we are confident that we have taken the right steps to protect the service and its users.
Responsibility for disaster recovery planning for digital systems lies with Justice Digital rather than the LAA. Prior to the cyber- attack there was no digital disaster recovery plan in place. However, had we had a fully funded disaster recovery system, any immediate restoration would have simply restored the systems without resolving the vulnerabilities that enabled the cyber- attack to occur. Justice Digital now have a new Service Owner structure in place where clear Service Standards will be defined and monitored. This will include digital disaster recovery plans for each digital product.
Prior to the cyber- attack the LAA had in place prepared business continuity plans for business-critical processes and services to ensure that access to justice could be maintained in the event of a system outage. These plans were tried and tested, and we were confident that the measures would be effective for our initial response. These measures gave us sufficient time to design and implement longer term measures to meet the specific needs of the incident that were introduced in June 2025.
At every stage, we have acted to protect public access to justice and to support providers in delivering legal aid. We have achieved this without affecting court backlogs or police station activity.
Our business continuity planning was effective in maintaining access to justice from the outset of the attack and the need to have longer term options in place is one of the lessons that we have taken from this incident.
A formal lessons learned approach will systematically analyse lessons from the Ministry of Justice’s and LAA’s preparation for and response to the cyber-attack. This work will cover pre-incident risk management and the response to the incident itself. This will inform future resilience planning, governance improvement and risk mitigation strategies across the Ministry of Justice and its agencies.
Asked by: Marie Rimmer (Labour - St Helens South and Whiston)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what assessment he has made of the adequacy of disaster recovery planning at the Legal Aid Agency prior to the cyber-attack of April 2025.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
We take the security of people’s personal data extremely seriously.
Firstly, to ensure transparency about the cyber- attack and that we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice shortly after it became aware of the criminal cyber-attack at 08:15 on 19 May on GOV.UK
The notice provided information about the cyber-attack and directed concerned members of the public to the National Cyber Security Centre’s webpage, which contained information on how to protect against the impact of a data breach.
The Legal Aid Agency (LAA) also set up dedicated Customer Services support via a telephone line and email for providers and clients who had concerns regarding the data breach. We did not write to all clients, to all the addresses that we had, because some of those addresses would no longer be current, and that would potentially create another data breach in itself.
The published statement referred to above sets out information about who may have been impacted and the nature of the information which may have been accessed. As far as we are aware, no data has been shared or put out in the public domain. An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
In the interests of security, we cannot confirm the method by which unauthorised access was gained to the LAA’s online digital systems or details about specific steps taken or measures implemented to protect LAA systems against any future cyber-attacks.
Security of the new systems has been paramount as we have rebuilt the LAA’s digital systems following the attack. The compromised digital portal has been replaced by a new, secure single sign-in tool for LAA online services (SiLAS). SiLAS has been designed and built in line with UK government and industry best practice for secure development. Security has been included from the ground up, including multi factor authentication, with independent testing activities to validate that the appropriate security controls are in place.
A dedicated team will monitor and update the service to ensure it evolves to remain resilient to emerging threats and is supported by a security operations capability. While no system can be entirely risk free, we are confident that we have taken the right steps to protect the service and its users.
Responsibility for disaster recovery planning for digital systems lies with Justice Digital rather than the LAA. Prior to the cyber- attack there was no digital disaster recovery plan in place. However, had we had a fully funded disaster recovery system, any immediate restoration would have simply restored the systems without resolving the vulnerabilities that enabled the cyber- attack to occur. Justice Digital now have a new Service Owner structure in place where clear Service Standards will be defined and monitored. This will include digital disaster recovery plans for each digital product.
Prior to the cyber- attack the LAA had in place prepared business continuity plans for business-critical processes and services to ensure that access to justice could be maintained in the event of a system outage. These plans were tried and tested, and we were confident that the measures would be effective for our initial response. These measures gave us sufficient time to design and implement longer term measures to meet the specific needs of the incident that were introduced in June 2025.
At every stage, we have acted to protect public access to justice and to support providers in delivering legal aid. We have achieved this without affecting court backlogs or police station activity.
Our business continuity planning was effective in maintaining access to justice from the outset of the attack and the need to have longer term options in place is one of the lessons that we have taken from this incident.
A formal lessons learned approach will systematically analyse lessons from the Ministry of Justice’s and LAA’s preparation for and response to the cyber-attack. This work will cover pre-incident risk management and the response to the incident itself. This will inform future resilience planning, governance improvement and risk mitigation strategies across the Ministry of Justice and its agencies.
Asked by: James McMurdock (Independent - South Basildon and East Thurrock)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what plans he has to publish data on convictions and sentencing outcomes for immigration offences.
Answered by Jake Richards - Assistant Whip
The Ministry of Justice routinely publishes data on prosecutions, convictions and sentencing at criminal courts in England and Wales in the Outcomes by Offences data tool. This tool includes convictions and sentencing for immigration offences and can be downloaded from the Criminal Justice Statistics landing page here: Criminal Justice Statistics.
Asked by: Andrew Mitchell (Conservative - Sutton Coldfield)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what recent steps his Department has taken to help reduce levels of reoffending in the West Midlands.
Answered by Jake Richards - Assistant Whip
HMPPS Area Executive Directors (AEDs) are responsible for leading a joined-up approach to prisons and probation in their region, alongside working with criminal justice partners such as the police and local authorities to address the causes of offending and to make sure that those released from prison do not reoffend.
For those who persistently break the law, we are building 14,000 new prison places to make sure they are removed from the streets. Whilst in prison they will be expected to take part in education or learn new skills to make them more useful contributors to society after release.
Anyone released from prison is subject to strict licence conditions, including exclusion zones where appropriate. If found to have breached these conditions they can be returned to prison.
The Probation Service puts in place services aimed at reducing re-offending by supporting the needs of people on probation in the West Midlands. These include providing support in obtaining and maintaining suitable accommodation, help with drug and alcohol dependency issues, assistance with personal wellbeing needs and a holistic service addressing all needs for women.
In the Midlands, we have introduced an area Reducing Reoffending lead who will lead on projects working with Prison and Probations across the Midlands to help in reducing reoffending.
Asked by: Al Pinkerton (Liberal Democrat - Surrey Heath)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what steps his Department is taking to improve safety in prisons in (a) Hampshire and (b) Surrey.
Answered by Jake Richards - Assistant Whip
Safety in prisons is a key priority, and we are working hard to make prisons as safe as possible for those who live and work in them. We are providing targeted support to a number of prisons to improve safety, security and substance misuse processes, and the join-up between them, to strengthen safety outcomes.
There are a number of local initiatives taking place to improve safety in prisons in Surrey and Hampshire. These include but are not limited to; using peer mentoring and restorative justice to promote conflict resolution and personal growth, encouraging positive relationships between staff and prisoners to bolster prisoner wellbeing and specific projects designed to support young adults and neurodiverse individuals in custody. Sites are also upskilling staff in safety related tasks, implementing improvements in the physical environment, and utilising Substance Free Living Units.
Asked by: Pam Cox (Labour - Colchester)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, how many prisons and Young Offender Institutions currently have (a) an Incentivised Substance Free Living Unit operating, (b) a Drug Recovery Wing operating, and (c) a Drug Strategy Lead in post.
Answered by Jake Richards - Assistant Whip
HM Prison & Probation Service (HMPPS) has funded Incentivised Substance Free Living Units in 85 prisons, and six currently have abstinence-based Drug Recovery Wings. To support delivery of HMPPS’ Drug and Alcohol Strategy, 54 prisons have a dedicated Drug Strategy Lead. All remaining prisons, including Young Offender Institutions, have a designated point of contact for Drug and Alcohol Strategy work.
In addition, HMPPS has recruited 17 Group Drug and Alcohol Leads providing regional leadership, assurance, and co-ordination of drug and alcohol work for all the establishments in their Prison Group. They align activity at establishment level with national drug and alcohol strategy and policies which aim to restrict supply, reduce demand and support recovery. They also support local and regional partnerships with healthcare providers to support a range of issues including continuity of care on release.
Asked by: Pam Cox (Labour - Colchester)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, how many foreign national offenders were in prison in England and Wales, by offence group as of 30 September 2025.
Answered by Jake Richards - Assistant Whip
A breakdown of Foreign National Offenders (FNOs) by offence group is published in the Annual prison population statistics and the most recent publication can be found here: prison-population-2025.ods. Please see Table_1_A_26, which shows the breakdown as of 30 June 2025.
As these statistics are published annually, we are not able to provide a breakdown as of September.
In the last year, we removed over 2,700 FNOs under the Early Removal Scheme, that is more than the number removed in the previous year, and a 74 percent increase compared to the same period in 2023. It will free up much-needed space in our prisons.
Asked by: Pam Cox (Labour - Colchester)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, how many Prison Transfer Agreements are currently in place.
Answered by Jake Richards - Assistant Whip
The UK has Prisoner Transfer Agreements (PTAs) with over 110 countries. They allow for the transfer of Foreign National Offenders (FNOs) to their country of nationality to serve the remainder of their sentence, and the repatriation of British Citizens imprisoned overseas.
There are two types of PTA, compulsory meaning the FNO does not need to consent to transfer, and voluntary which means they do. In either case both countries must agree each transfer.
Asked by: James McMurdock (Independent - South Basildon and East Thurrock)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what data he holds on the reoffending rates of individuals convicted of offences relating to illegal entry into the UK.
Answered by Jake Richards - Assistant Whip
Providing this would incur disproportionate costs.
More broadly the Government is tackling the root causes of reoffending by investing in a range of services which address offenders’ underlying criminogenic needs and support their rehabilitation journey. This includes education, employment, accommodation and access to substance misuse treatment.
Asked by: Pam Cox (Labour - Colchester)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what was the rate of compliance for people fitted with an alcohol monitoring device after their release from prison, in each year since 2021.
Answered by Jake Richards - Assistant Whip
We are unable to provide compliance rates by year for those released from custody and subject to alcohol monitoring. However, our published research for this cohort has shown around four out of five prison leavers with an alcohol monitoring condition added to their licence during 2023 did not violate their order. Of those who did violate their order, most only received a single violation. The Department’s published research can be found here - AML: Process and Interim Impact Evaluation.
The compliance rate of alcohol monitoring imposed by the court as part of a Community Order or Suspended Sentence Order, which imposes a total ban on drinking alcohol for up to 120 days, showed from the introduction of the technology in October 2020 through to 6 June 2025, the devices did not register a tamper or alcohol alert for 97.3% of the days worn. Anyone who does break the rules, risks being returned to custody.