Legal Aid Agency: Cyber-security Incident Debate
Full Debate: Read Full DebateDepartment: Ministry of Justice
Judith Cummins
Main Page: Judith Cummins (Labour - Bradford South)Department Debates - View all Judith Cummins's debates with the Ministry of Justice
Legal Aid Agency: Cyber-security Incident
Judith Cummins Excerpts(1 day, 22 hours ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Minister of State, Ministry of Justice (Sarah Sackman)
With permission, I will make a statement about an incident that has affected the Legal Aid Agency—an executive agency of the Ministry of Justice. The House will appreciate that while investigations are ongoing, there are limits to the amount of information that I can share publicly. However, the Government wish to be as transparent as possible with Parliament, and I will provide an update based on the information that we currently have.
On Wednesday 23 April, the Legal Aid Agency became aware of a cyber-attack on its online digital services. These are the services through which legal aid providers log their work and receive payment from the Government. The Government of course took immediate action to bolster the security of the system, working closely with experts at the National Crime Agency, the Government Cyber Co-ordination Centre and the National Cyber Security Centre. We alerted the Information Commissioner and, importantly, informed all legal aid providers that some of their details had been compromised. We also took some Legal Aid Agency systems offline between 7 and 11 May to carry out work to contain the breach. Officials have been working around the clock to stabilise the system and support a complex investigation.
I can now confirm that the cyber-attack was more extensive than originally thought. On Friday 16 May, we learned from the attackers behind it that they had accessed a large amount of information relating to legal aid applicants, and we assessed that threat to be credible. We believe they have accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service some time since 2010. That data may include applicants’ contact details, addresses, date of birth, national ID numbers, criminal history, employment status and financial data, such as contribution amounts, debts and payments. I should stress that this does not mean that every individual involved will be impacted in the same way, but we needed to act to safeguard the service and its users. In line with advice from the National Cyber Security Centre, the Legal Aid Agency took its online services down on Friday. I urge all members of the public who have applied for legal aid since 2010 to be on high alert for any suspicious activity. That includes messages and phone calls from unknown numbers. If anyone is in any doubt at all, please take steps to verify a person’s identity before providing any information.
I understand the gravity of these events. At this stage, we believe that the breach is contained to the Legal Aid Agency’s systems; there are no indications that other parts of the justice system have been impacted. The Government are committed to making every effort to ensure that the vital operational delivery of legal aid continues. We have put in place contingency plans to ensure that those most in need of legal support can continue to access the help that they need.
The House should be in no doubt that the Legal Aid Agency has suffered an unacceptable attack on its systems at the hands of criminals. Sadly, that attack is not altogether surprising; the vulnerabilities in the Legal Aid Agency systems have been known for many years. The risk of such an attack was steadily growing during through the previous Government’s tenure, but they took no meaningful action to fix the systems, leaving them vulnerable to attack. The previous Government were repeatedly warned about the Legal Aid Agency systems being old, inflexible and unstable. In 2023, the Law Society called on the Government to urgently invest in the Legal Aid Agency digital system, saying that the system was “too fragile to cope.” In March 2024, the Law Society pointed to the agency’s “antiquated IT systems” as
“evidence of the long-term neglect of our justice system”.
In short, this data breach was made possible by the long years of neglect and mismanagement of the justice system under the last Conservative Government. They knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act. By contrast, since taking office, this Government have prioritised work to reverse the damage of over a decade of under-investment. That includes the allocation of over £20 million in extra funding this year to stabilise and transform the Legal Aid Agency digital services. I am extremely grateful to legal aid providers across the country for their patience and co-operation, and to Ministry of Justice officials for their ongoing efforts to secure the system. The investigation is live, and the Government will do everything we can to seek justice.
Recent events have shown that every organisation, no matter how big or small, is at risk from this type of criminal behaviour. Sadly, the Government are not exempt. This incident has none the less demonstrated in stark terms that our legal aid digital systems are critically fragile and not fit for the 21st century. When I took up this ministerial role, I was frankly shocked to see just how fragile they were. This Government inherited a legal aid sector that has been neglected for far too long. We have invested in stabilising the current digital systems and have kick-started an ambitious reform programme to transform them. That means creating a modern, user-friendly and resilient service. The programme will also deliver a more flexible service, so that we can implement changes faster, and better respond to changing demands.
That transformation will take time. In the light of this incredibly serious incident, my right hon. Friend the Lord Chancellor and I are exploring options to expedite the programme and put our systems on a more secure footing. The Government will not hesitate to act to protect our vital public services, because without legal aid, our justice system would grind to a halt. This is an ongoing and sensitive issue, and our investigation and mitigating action continue. To ensure that Members are informed and updated, I will provide a written update in due course. I commend this statement to the House.
Sarah Sackman
The hon. Member is right to say that those responsible for this attack on our justice system are criminals—no ifs, no buts. What they have perpetrated on our legal aid systems is not only dangerous; it exposes the data of legal aid providers and applicants. The threats made to the Government are entirely unacceptable and malicious, and the Government will be robust in their response and in pursuing justice; I think I made that clear in my statement.
It is important that we are honest and frank about the vulnerability of the legacy IT systems that support our legal aid system. The vulnerability of that system exposed both legal aid providers and end users—as the hon. Member says, some of the most vulnerable people in our society—to unacceptable risk. I am focused on the short term and eliminating the threat, but also on the long term, on investing in resilience, and on the rescue and transformation of the platforms, so that we who are responsible for the legal aid system and our wider justice system do not expose people to that risk again.
The hon. Member asks why the House was not informed when Ministers were informed, in late April. The reason for that is simple: when Ministers were first informed about the exposure of the Legal Aid Agency’s digital platforms to this risk, the full extent of the risk, and the nature and extent of the data put at risk, were not fully understood. As a Minister, I have competing responsibilities. I have a responsibility to keep the legal aid system going—to ensure that those who need to access legal support can do so, and that those providing legal aid to vulnerable clients are paid. At that point, given the understood risk, the responsibility to keep the system going outweighed any need to inform the House of the exposure of the system. However, the most important people in the system—the legal aid providers and, by extension, their clients—were informed, as was the Information Commissioner, whom we are legally obliged to inform. When the greater extent of the risk became known, we promptly and transparently informed the House of the position. That was a transparent and proportionate response to our understanding of the evolving criminal theat.
The shadow Minister asked about the restoration of the system. The system has been closed down to negate the threat and prevent further exposure of legal aid providers and users. We will not reopen the system until we are satisfied that it is safe to do so. As he will understand, I cannot comment further on this live and sensitive situation. However, I can assure him that we have put in place contingency plans to ensure that those who need to apply for legal support in the coming days and weeks, and those who are currently accessing legal aid, can provide information to the legal aid agencies through alternative means, so that we can keep the show on the road.
The shadow Minister asks about wider Government exposure to any risks. As I have mentioned, regrettably, Government Departments, local authorities, universities and our best-known businesses are exposed to the sort of criminal activity that the Legal Aid Agency has experienced, but from what we know, this attack is confined to the Legal Aid Agency, and goes no wider than that. He asks about our long-term plans. As I have said, our long-term plans involve a significant investment of £20 million to stabilise and transform the service. Indeed, we know about today’s threat partly because of the investment that we have made since we came into government. We discovered the threat and became alive to the fact that hackers were infiltrating the system partly because of the work that we were doing to stabilise and transform the system. That work has to continue. The Lord Chancellor and I will look at whether we can expedite some of that work to bake resilience into the system.
The shadow Minister asked about full transparency and keeping the House up to date. As I said, I will provide a written update in due course, and today I can undertake to provide full transparency. Legal aid providers have been kept fully informed along the way, as have our professional bodies, such as the Law Society and the Bar Council, many of which are legal aid providers. That is because we need all of them, working in a robust system, to deliver the justice and legal aid that people so sorely need.
Andy Slaughter (Hammersmith and Chiswick) (Lab)
The loss of very sensitive data relating to so many vulnerable people over such a long time makes this one of the most serious data breaches of recent years. It is also a wake-up call, alerting us to the poor state of the Legal Aid Agency IT systems, and perhaps Government IT systems more generally. I appreciate that the Minister has inherited this debacle, but it is on her desk now. Will she confirm the numbers affected, whether the leaks have been stemmed, and what steps are being taken to recover the data from the thieves who have taken it? I have more questions that there is not time to deal with here. She said that she will provide a written statement, but will she also brief the Select Committee and the opposition parties, if necessary in confidence, on the steps being taken to rectify the situation?
Sarah Sackman
I thank my hon. Friend for that pertinent question. He will appreciate that it would be inappropriate for me to comment in any great detail while the investigation is ongoing. As he and the rest of the House can imagine, if we are talking about those who have applied for or been in receipt of legal aid since 2010 and all the legal providers in this country that have had legal aid contracts with the Government, one gets a sense of the scale of the exposure. It is a very serious breach indeed.
The malign criminals who are responsible for the hack have given a figure for the amounts of data that they have, which has been trailed in some of the newspapers. Those who have read the papers will know that it is in the region of 2 million items of data, so one can see that the scale of the problem is very serious indeed. I should say that that figure cannot be verified, and I will not comment in further detail.
With respect to my hon. Friend’s request that the JSC and Opposition parties are kept up to date as the investigation develops and as we take steps to eliminate this risk from our systems, I am very happy to give that update.
Josh Babarinde (Eastbourne) (LD)
I thank the Minister for advance sight of her statement. Hundreds of thousands of people across the country, including many in my patch of Eastbourne, will be hugely concerned that their information is in the hands of deplorable criminals whose identities we do not know and whose further intentions are unclear, and who should face the full force of the law. The damage is especially profound, because the state’s inability to steward the public’s data undermines people’s trust in our justice system. More than that, given that legal aid applicants are the victims, the data breach risks disproportionately undermining the trust of some of the most vulnerable people in our society. The previous Government should hang their heads in shame for ignoring the Law Society’s 2023 calls to address those vulnerabilities when they had the chance.
This Government must urgently restore trust, and I have a few questions in pursuit of that. First, how will the Minister proactively communicate with all those affected about this breach to provide guidance and support? Secondly, will she consider launching a dedicated advice line, for example, for anyone who is worried about what it means for them? Thirdly, the Legal Aid Agency’s services were taken offline last Friday, as the Minister confirmed, so how will she ensure that that does not compromise people’s access to legal aid in the meantime? Finally, will the Government conduct a cyber-security review of all the systems they use across their remit to identify and address further vulnerabilities before they are exploited at the expense of our constituents?