Legal Aid Agency: Cyber-security Incident Debate
Full Debate: Read Full DebateDepartment: Ministry of Justice
Sarah Sackman
Main Page: Sarah Sackman (Labour - Finchley and Golders Green)Department Debates - View all Sarah Sackman's debates with the Ministry of Justice
Legal Aid Agency: Cyber-security Incident
Sarah Sackman Excerpts(1 day, 21 hours ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Minister of State, Ministry of Justice (Sarah Sackman)
With permission, I will make a statement about an incident that has affected the Legal Aid Agency—an executive agency of the Ministry of Justice. The House will appreciate that while investigations are ongoing, there are limits to the amount of information that I can share publicly. However, the Government wish to be as transparent as possible with Parliament, and I will provide an update based on the information that we currently have.
On Wednesday 23 April, the Legal Aid Agency became aware of a cyber-attack on its online digital services. These are the services through which legal aid providers log their work and receive payment from the Government. The Government of course took immediate action to bolster the security of the system, working closely with experts at the National Crime Agency, the Government Cyber Co-ordination Centre and the National Cyber Security Centre. We alerted the Information Commissioner and, importantly, informed all legal aid providers that some of their details had been compromised. We also took some Legal Aid Agency systems offline between 7 and 11 May to carry out work to contain the breach. Officials have been working around the clock to stabilise the system and support a complex investigation.
I can now confirm that the cyber-attack was more extensive than originally thought. On Friday 16 May, we learned from the attackers behind it that they had accessed a large amount of information relating to legal aid applicants, and we assessed that threat to be credible. We believe they have accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service some time since 2010. That data may include applicants’ contact details, addresses, date of birth, national ID numbers, criminal history, employment status and financial data, such as contribution amounts, debts and payments. I should stress that this does not mean that every individual involved will be impacted in the same way, but we needed to act to safeguard the service and its users. In line with advice from the National Cyber Security Centre, the Legal Aid Agency took its online services down on Friday. I urge all members of the public who have applied for legal aid since 2010 to be on high alert for any suspicious activity. That includes messages and phone calls from unknown numbers. If anyone is in any doubt at all, please take steps to verify a person’s identity before providing any information.
I understand the gravity of these events. At this stage, we believe that the breach is contained to the Legal Aid Agency’s systems; there are no indications that other parts of the justice system have been impacted. The Government are committed to making every effort to ensure that the vital operational delivery of legal aid continues. We have put in place contingency plans to ensure that those most in need of legal support can continue to access the help that they need.
The House should be in no doubt that the Legal Aid Agency has suffered an unacceptable attack on its systems at the hands of criminals. Sadly, that attack is not altogether surprising; the vulnerabilities in the Legal Aid Agency systems have been known for many years. The risk of such an attack was steadily growing during through the previous Government’s tenure, but they took no meaningful action to fix the systems, leaving them vulnerable to attack. The previous Government were repeatedly warned about the Legal Aid Agency systems being old, inflexible and unstable. In 2023, the Law Society called on the Government to urgently invest in the Legal Aid Agency digital system, saying that the system was “too fragile to cope.” In March 2024, the Law Society pointed to the agency’s “antiquated IT systems” as
“evidence of the long-term neglect of our justice system”.
In short, this data breach was made possible by the long years of neglect and mismanagement of the justice system under the last Conservative Government. They knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act. By contrast, since taking office, this Government have prioritised work to reverse the damage of over a decade of under-investment. That includes the allocation of over £20 million in extra funding this year to stabilise and transform the Legal Aid Agency digital services. I am extremely grateful to legal aid providers across the country for their patience and co-operation, and to Ministry of Justice officials for their ongoing efforts to secure the system. The investigation is live, and the Government will do everything we can to seek justice.
Recent events have shown that every organisation, no matter how big or small, is at risk from this type of criminal behaviour. Sadly, the Government are not exempt. This incident has none the less demonstrated in stark terms that our legal aid digital systems are critically fragile and not fit for the 21st century. When I took up this ministerial role, I was frankly shocked to see just how fragile they were. This Government inherited a legal aid sector that has been neglected for far too long. We have invested in stabilising the current digital systems and have kick-started an ambitious reform programme to transform them. That means creating a modern, user-friendly and resilient service. The programme will also deliver a more flexible service, so that we can implement changes faster, and better respond to changing demands.
That transformation will take time. In the light of this incredibly serious incident, my right hon. Friend the Lord Chancellor and I are exploring options to expedite the programme and put our systems on a more secure footing. The Government will not hesitate to act to protect our vital public services, because without legal aid, our justice system would grind to a halt. This is an ongoing and sensitive issue, and our investigation and mitigating action continue. To ensure that Members are informed and updated, I will provide a written update in due course. I commend this statement to the House.
Madam Deputy Speaker (Judith Cummins)
I call shadow Minister Dr Kieran Mullan.
Dr Kieran Mullan (Bexhill and Battle) (Con)
I thank the Minister for advance sight of her statement, although it was pretty disappointing to hear her deliver it as written. Before I had seen her statement, I drafted one of my own. In it, I was clear that I would limit my party political remarks, and thinking that the Minister would devote a significant part of her statement to condemning the immoral, malicious, criminal actors who are responsible for this attack, I intended to begin with strong words of support for what she said. However, if Members listened closely, they would have heard that she devoted most of her time to party political attacks, and managed barely one sentence of condemnation. I suggest that she looks at her statement when she leaves the Chamber, and reflects on that.
I will say what the Minister should have said to all those worried by what has happened, including those who may be victims of fraud as a result, and taxpayers who will pick up the bill: we should never lose sight of the fact that whatever the role of any Government, past or present, in unsuccessfully defending against such attacks, the primary responsibility for this lies with the despicable criminals who carried it out. This was not just an attack on a digital system; it was an attack on some of the most vulnerable in our society. Their data is deeply personal in some cases, given that sensitive medical records have been exposed. It is utterly appalling. We welcome the fact that the National Crime Agency and the National Cyber Security Centre are involved, and I hope that the Minister will agree that those behind this breach must be brought to justice. Nothing should stand in the way of full accountability for this crime.
Addressing the actions of those behind the attack is paramount. The Minister may seek to focus blame on a previous Government, but I have questions about this Government’s response. First, why was the decision taken not to inform the House and the public about the breach when it was first discovered on 23 April? We now learn that the impact may extend to those who made applications as far back as 2010, and that more than 2 million pieces of information have been accessed. The delay of nearly a month in notifying the public and/or understanding the nature of the attack could have hindered individuals from taking necessary steps to protect themselves from potential harm, such as fraud or harassment.
Secondly, the Minister mentioned taking systems offline that are crucial for legal professional payments. Can she provide a clear update on the operational status of those systems? If they are not yet fully functional, what is the estimated timeline for their restoration? She mentioned contingency plans; could she tell us more about their nature? Thirdly, can she share any information about the origin of this attack? Is it believed to be a state-linked criminal enterprise? Fourthly, has the Ministry of Justice initiated a thorough risk assessment of its other digital systems, and digital systems across Government more widely? She says that the Government believe that the attack is contained, but on what basis has she reached that conclusion?
Fifthly, the Minister talked about the £20 million set aside for delivering improved systems. She will know the challenges that previous Governments faced in attempting to upgrade those systems. What specific improvements will be achieved by this funding, and when? Finally, will the Minister give a commitment to full transparency for the House, through regular updates as the investigations progress? She mentioned seeking to make the public more aware of the issue, so that people know if they might be affected. Will she ensure that those affected by this breach are directly contacted and offered appropriate support? Will she reiterate the Government’s commitment to ensuring that those responsible are brought to justice? The security of our justice system, public confidence and the wellbeing of vulnerable individuals depend on a robust and transparent response to this serious incident.
Sarah Sackman
The hon. Member is right to say that those responsible for this attack on our justice system are criminals—no ifs, no buts. What they have perpetrated on our legal aid systems is not only dangerous; it exposes the data of legal aid providers and applicants. The threats made to the Government are entirely unacceptable and malicious, and the Government will be robust in their response and in pursuing justice; I think I made that clear in my statement.
It is important that we are honest and frank about the vulnerability of the legacy IT systems that support our legal aid system. The vulnerability of that system exposed both legal aid providers and end users—as the hon. Member says, some of the most vulnerable people in our society—to unacceptable risk. I am focused on the short term and eliminating the threat, but also on the long term, on investing in resilience, and on the rescue and transformation of the platforms, so that we who are responsible for the legal aid system and our wider justice system do not expose people to that risk again.
The hon. Member asks why the House was not informed when Ministers were informed, in late April. The reason for that is simple: when Ministers were first informed about the exposure of the Legal Aid Agency’s digital platforms to this risk, the full extent of the risk, and the nature and extent of the data put at risk, were not fully understood. As a Minister, I have competing responsibilities. I have a responsibility to keep the legal aid system going—to ensure that those who need to access legal support can do so, and that those providing legal aid to vulnerable clients are paid. At that point, given the understood risk, the responsibility to keep the system going outweighed any need to inform the House of the exposure of the system. However, the most important people in the system—the legal aid providers and, by extension, their clients—were informed, as was the Information Commissioner, whom we are legally obliged to inform. When the greater extent of the risk became known, we promptly and transparently informed the House of the position. That was a transparent and proportionate response to our understanding of the evolving criminal theat.
The shadow Minister asked about the restoration of the system. The system has been closed down to negate the threat and prevent further exposure of legal aid providers and users. We will not reopen the system until we are satisfied that it is safe to do so. As he will understand, I cannot comment further on this live and sensitive situation. However, I can assure him that we have put in place contingency plans to ensure that those who need to apply for legal support in the coming days and weeks, and those who are currently accessing legal aid, can provide information to the legal aid agencies through alternative means, so that we can keep the show on the road.
The shadow Minister asks about wider Government exposure to any risks. As I have mentioned, regrettably, Government Departments, local authorities, universities and our best-known businesses are exposed to the sort of criminal activity that the Legal Aid Agency has experienced, but from what we know, this attack is confined to the Legal Aid Agency, and goes no wider than that. He asks about our long-term plans. As I have said, our long-term plans involve a significant investment of £20 million to stabilise and transform the service. Indeed, we know about today’s threat partly because of the investment that we have made since we came into government. We discovered the threat and became alive to the fact that hackers were infiltrating the system partly because of the work that we were doing to stabilise and transform the system. That work has to continue. The Lord Chancellor and I will look at whether we can expedite some of that work to bake resilience into the system.
The shadow Minister asked about full transparency and keeping the House up to date. As I said, I will provide a written update in due course, and today I can undertake to provide full transparency. Legal aid providers have been kept fully informed along the way, as have our professional bodies, such as the Law Society and the Bar Council, many of which are legal aid providers. That is because we need all of them, working in a robust system, to deliver the justice and legal aid that people so sorely need.
Madam Deputy Speaker (Judith Cummins)
I call the Chair of the Justice Committee.
Andy Slaughter (Hammersmith and Chiswick) (Lab)
The loss of very sensitive data relating to so many vulnerable people over such a long time makes this one of the most serious data breaches of recent years. It is also a wake-up call, alerting us to the poor state of the Legal Aid Agency IT systems, and perhaps Government IT systems more generally. I appreciate that the Minister has inherited this debacle, but it is on her desk now. Will she confirm the numbers affected, whether the leaks have been stemmed, and what steps are being taken to recover the data from the thieves who have taken it? I have more questions that there is not time to deal with here. She said that she will provide a written statement, but will she also brief the Select Committee and the opposition parties, if necessary in confidence, on the steps being taken to rectify the situation?
Sarah Sackman
I thank my hon. Friend for that pertinent question. He will appreciate that it would be inappropriate for me to comment in any great detail while the investigation is ongoing. As he and the rest of the House can imagine, if we are talking about those who have applied for or been in receipt of legal aid since 2010 and all the legal providers in this country that have had legal aid contracts with the Government, one gets a sense of the scale of the exposure. It is a very serious breach indeed.
The malign criminals who are responsible for the hack have given a figure for the amounts of data that they have, which has been trailed in some of the newspapers. Those who have read the papers will know that it is in the region of 2 million items of data, so one can see that the scale of the problem is very serious indeed. I should say that that figure cannot be verified, and I will not comment in further detail.
With respect to my hon. Friend’s request that the JSC and Opposition parties are kept up to date as the investigation develops and as we take steps to eliminate this risk from our systems, I am very happy to give that update.
Madam Deputy Speaker (Judith Cummins)
I call the Liberal Democrat spokesperson.
Josh Babarinde (Eastbourne) (LD)
I thank the Minister for advance sight of her statement. Hundreds of thousands of people across the country, including many in my patch of Eastbourne, will be hugely concerned that their information is in the hands of deplorable criminals whose identities we do not know and whose further intentions are unclear, and who should face the full force of the law. The damage is especially profound, because the state’s inability to steward the public’s data undermines people’s trust in our justice system. More than that, given that legal aid applicants are the victims, the data breach risks disproportionately undermining the trust of some of the most vulnerable people in our society. The previous Government should hang their heads in shame for ignoring the Law Society’s 2023 calls to address those vulnerabilities when they had the chance.
This Government must urgently restore trust, and I have a few questions in pursuit of that. First, how will the Minister proactively communicate with all those affected about this breach to provide guidance and support? Secondly, will she consider launching a dedicated advice line, for example, for anyone who is worried about what it means for them? Thirdly, the Legal Aid Agency’s services were taken offline last Friday, as the Minister confirmed, so how will she ensure that that does not compromise people’s access to legal aid in the meantime? Finally, will the Government conduct a cyber-security review of all the systems they use across their remit to identify and address further vulnerabilities before they are exploited at the expense of our constituents?
Sarah Sackman
The hon. Gentleman is absolutely right that incidents such as this perpetrated by cyber-criminals represent an attack on our justice system and are corrosive of trust. He is also absolutely right that, in so doing, they are hitting some of the most vulnerable in our society. That angers me, frankly, and the response needs to be commensurate to the damage that they have done not just in stealing people’s private data, but to the wider system in undermining trust.
We are taking a proactive approach to communicating with people and with the sector. As soon as the risk and the exposure of the system to these hackers was identified, legal aid providers were updated on their exposure and told to take proactive security steps. That communication has been updated, and, as well as today’s public statement, we are in constant communication with those legal aid providers. They are really the most important point of contact, because they have a relationship of trust with their clients, and they will be invited to pass on the warnings and messages coming from the Government. Where we know of particular individuals whose data may have been exposed and who may be particularly vulnerable, we are communicating directly with them. I will take away the hon. Gentleman’s suggestion of an advice line, but for now what I have described will be the most important and effective way of disseminating the warnings and keeping people up to date as the situation evolves.
Turning to the wider security threat to Government and other vulnerabilities, before this attack we had indicated in any event that we would have a new national cyber strategy across Government by the end of the year. Obviously, we also intend to introduce the cyber-security and resilience Bill, which aims to improve and strengthen Government cyber-defences and Government responses to attacks just like this one. All of that is going to be important to improving the resilience not just of the Legal Aid Agency but of cyber-systems right across Government.
Lauren Edwards (Rochester and Strood) (Lab)
A recent Public Accounts Committee inquiry found that the Government still have substantial gaps in their understanding of how resilient their IT estate is to cyber-attack. It was really helpful to hear from the Minister about the work that is ongoing, but in the light of this very serious incident, will she and all Departments urgently assess the robustness of cyber-defences, not only in arm’s length bodies such as the Legal Aid Agency but in legacy IT systems and the supply chain—which the Committee found to be known areas of weakness—to ensure that our cyber-defences in Whitehall are as strong as possible?
Sarah Sackman
My hon. Friend is absolutely right. Whether in Government, local authorities or other bodies such as universities and businesses big and small—as we know, some of the most famous businesses in this country have recently been exposed to these sorts of risks—and whether the cyber-attacks come from state actors or from organised crime, as appears to be the case in this instance, legacy IT systems are one of the most serious vulnerabilities. That is precisely what today’s incident highlights, and it is why that national cyber strategy is going to be so important. It will identify how we build up our resilience at pace and protect against these vulnerabilities, which are system-wide and affect public and private actors alike.
David Reed (Exmouth and Exeter East) (Con)
In recent months, the UK has experienced a number of very high-profile cyber-attacks right across the public and private sectors. Does the Minister agree that now is the time to update the Computer Misuse Act 1990 to enhance cyber-resilience through strengthened legal protections for cyber-security researchers? If her answer is yes, which Department is responsible for bringing about that change?
Sarah Sackman
The hon. Gentleman will know that the cyber-security and resilience Bill will be introduced in this Session. The focus of that Bill is to improve the cyber-defences of this country by bolstering regulator support and the regulatory framework and setting out how our national security agencies can provide a strengthened and emboldened response to just such attacks. It seems to me that that Bill is the appropriate legislative vehicle for delivering what I think we all wish to see, which is a more robust defence of our cyber-systems.
Chris Vince (Harlow) (Lab/Co-op)
I thank the Minister for her statement. What shocks me most about this attack is that it is an attack on some of the most vulnerable people in our society. What can be done by residents in Harlow who are concerned that their data has been taken by these criminals, and how can they get legal aid if they need it?
Sarah Sackman
I thank my hon. Friend for that very important question. People can do two things: first, be in touch with their legal aid provider, because that will be the source of the data sharing and would have been the source of the application for legal aid. Secondly, if they are concerned that their data may have been affected, they can get in touch directly with the Legal Aid Agency. Legal aid providers have been informed of how those who need to apply for legal aid can continue to do so, because it is vital that we do not allow the justice system to grind to a halt and that those who need emergency legal aid can continue to access it. We have put in place business contingency plans to ensure that no one in this country, whether in Harlow or anywhere else, will be prevented from—or delayed in—accessing legal aid while we work to resolve this issue.
Sir John Whittingdale (Maldon) (Con)
The Minister will be aware of the rising number of cyber-attacks by criminals and by hostile state actors. May I also express my disappointment that she has chosen to try to make party political points on this issue? Instead, can she say whether those responsible are UK-based, such as the DragonForce group or the Scattered Spider group who claim responsibility for the attacks on the Co-op and Marks & Spencer? Can she also say whether checks are being made across Government to identify any security breaches that may not yet have been acted on by those who are responsible?
Sarah Sackman
I will not disclose the name of the perpetrators of this malign attack. I do not think it would be responsible for me to do so while the investigation is live and while they are being pursued, not least through legal avenues. I am not able to share that information at the moment, but when I can share it, I will of course update the House.
Dr Andrew Murrison (South West Wiltshire) (Con)
In her zeal to have a pop at the previous Government, the Minister implied that this country was peculiarly vulnerable to cyber-attack. There will be people listening to her out there who may be encouraged by that, so will she correct the record and reflect upon the International Telecommunication Union’s global cyber-security index, which found Britain to be right at the very top of the league table for cyber-security, along with countries known to be experts, such as Estonia and Germany? Does she agree that while we must not be complacent, it is important to tell the whole truth?
Sarah Sackman
As I said, those responsible are the baddies here, but let me be clear: I was absolutely shocked when I came into the Department to find the state of the Legal Aid Agency’s legacy IT systems. They were fragile, vulnerable, at risk and, frankly, not fit for purpose. That is not my view; that is the view of the Law Society and lots of users. They have to use an arcane system that is not only slow but, as we have now found, is so fragile that it has exposed many of its users to an unconscionable risk. That is not good enough. It is not talking down the system; it is the state of the system. That vulnerability has been exposed by these malign actors. The fact is that the previous Government knew about it and failed to fix it. We will not make the same mistake.
Iqbal Mohamed (Dewsbury and Batley) (Ind)
I thank the Minister for her statement. She is absolutely right. I join the Opposition in condemning the criminals who perpetrated this attack. She has already explained what constituents who may be impacted should do, and I will not ask her to repeat that, but can she assure this House that the learnings from this cyber-attack are already being applied across Government and the public sector? If extra steps are required to access legal aid or process payments by legal aid providers, will the providers be compensated accordingly?
Sarah Sackman
Once we have resolved this investigation, once we can be assured that the hackers are no longer in the system and that people’s data is safe and once we can be assured that our legal aid platform is operating properly and is handling people’s data in a safe way, there will need to be a stocktake and an effort to learn lessons, not least as we embark—we are already in the process of doing this—on stabilising and transforming this system so that it is fit for the future. No doubt, there will be lessons from this particular attack for other public and Government bodies. The question of compensation must wait for another day. My priority is removing the hackers from the system, making sure that they feel the full force of the law and ensuring that, in the meantime, no person who needs legal aid cannot get it and the system continues to operate.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Recent cyber-attacks on retail targets have highlighted the cost to businesses and individuals of an organisation’s failure to take cyber-security sufficiently seriously. This attack on the Legal Aid Agency, resulting in the theft of millions of pieces of deeply sensitive personal data, is perhaps the most egregious yet. Why has it taken a newspaper article to bring the Minister to the Chamber? What else is she not telling us?
Sarah Sackman
I am afraid that the hon. Lady has got her chronology the wrong way round. There was a newspaper article because the Ministry of Justice had published a public statement as soon as it became aware of the full extent of the threat. It did that to protect legal aid providers and their clients, the end users. We have been utterly transparent. It is not following the newspaper article; the hon. Lady has her facts exactly the wrong way round.
Jim Shannon (Strangford) (DUP)
I thank the Minister for her detailed answers and reassurances. The legal aid system is an imperative cog in the wheels of justice, and this attack on it must be seen as an attack on justice as well. Can the Minister say whether the attack encompasses legal aid details from the entirety of the United Kingdom of Great Britain and Northern Ireland? What discussions have taken place with the Justice Minister in Northern Ireland, where people will have justified fears about their addresses being leaked to those who may harm them? What support is available to those who are now in fear, such as domestic abuse victims?
Sarah Sackman
My understanding is that the entirety of the Legal Aid Agency’s system has been exposed. We do not know the full extent of that exposure and the theft that has taken place, and we will not know until investigations have been completed, but it is for that reason that we have taken the precaution of shutting the system down.
I can assure the hon. Gentleman that we will be in contact with all the devolved nations and regions to ensure that legal aid providers throughout the United Kingdom are kept informed. He is right: some of the most vulnerable people in society who are in receipt of legal aid will be feeling that much more vulnerable today. I deeply regret that, and it is what makes me so furious about what has happened. I urge them to be super-vigilant and to be in touch with their providers, and I urge those providers to contact the Legal Aid Agency, and contact us, about any particular vulnerabilities and about cases in which they need to continue to provide those clients with legal aid.