The “antiquated” IT system used by the Legal Aid Agency (LAA) has come under fire after a major cyber attack saw potentially millions of pieces of personal data stolen, including criminal records.
A “significant amount of personal data” of people who applied to the agency since 2010 was accessed and downloaded in a cyber attack in April this year, the Ministry of Justice (MoJ) has said.
Those eligible to apply for legal aid include domestic violence and modern slavery victims, people involved in cases in the family court, as well as those accused of criminal offences.
The group that carried out the attack has claimed it accessed 2.1 million pieces of data but the MoJ has not verified that figure.
Richard Atkinson, president of the Law Society of England and Wales, a professional body that represents solicitors, said: “It is extremely concerning that members of the public have had their personal data compromised in this cyber security incident and the LAA must get a grip on the situation immediately.
“The incident once again demonstrates the need for sustained investment to bring the LAA’s antiquated IT system up to date and ensure the public have continued trust in the justice system.
“The fragility of the IT system has prevented vital reforms, including updates to the means test that could help millions more access legal aid, and interim payments for firms whose cash flow is being decimated by the backlogs in the courts, through no fault of their own.
“If it is now also proving vulnerable to cyber attack, further delay is untenable.
“Legal aid firms are small businesses providing an important public service and are operating on the margins of financial viability. Given that vulnerability, these financial security concerns are the last thing they need.”
The National Crime Agency is investigating the breach. It is understood that so far there is not believed to be any link to the cyber attacks on Marks and Spencer, the Co-op and Harrods, but investigators are keeping an open mind.
The Government became aware of a cyber attack on the LAA’s online digital services on April 23, but realised on Friday that it was more extensive than originally thought.
The data accessed may include contact details and addresses of legal aid applicants, their dates of birth, national insurance numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.
Officials will try to contact anyone identified in the data believed to be at significant risk of harm.
The LAA’s online digital services, which are used by legal aid providers to log their work and get paid by the Government, have been taken offline.
An MoJ source put the breach down to the “neglect and mismanagement” of the previous government, saying vulnerabilities in the LAA’s systems have been known for many years.
“This data breach was made possible by the long years of neglect and mismanagement of the justice system under the last government.
“They knew about the vulnerabilities of the LAA digital systems, but did not act,” the source said.
It is understood the attack happened as the MoJ has been working on replacing the internal system with a new version hoped to be up and running in the coming weeks.
The MoJ is urging anyone who has applied for legal aid since 2010 to be alert for unknown messages and phone calls and to update any passwords that could have been exposed.
The ministry has been working with the National Crime Agency and the National Cyber Security Centre, and has informed the Information Commissioner.
Legal Aid Agency chief executive Jane Harbottle apologised for the breach.
“I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened.
“Since the discovery of the attack, my team has been working around the clock with the National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency.
“However, it has become clear that, to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down,” she said.
Ms Harbottle said contingency plans are in place to make sure those in need of legal support and advice can continue to access it.
Reacting to the attack, global cyber security adviser Jake Moore, from software company ESET, said it highlights how critical it is for public bodies to invest in stronger cyber defences and be transparent immediately when things go wrong.
“When criminal records and other sensitive personal data are exposed, it is not just a matter of IT failure, it’s a breach of trust, privacy, and even safety in this case,” he said.
“Many of the individuals affected may already be in vulnerable situations and could now face the added stress of not knowing where their data will end up or how it might be used.
“Delays in notifying victims or vague reassurances can often worsen the damage whether it’s a Government agency or private company.”
