What began earlier this month as a routine notice about a ‘security incident’ has now been revealed to be far more serious – and far-reaching.
On 23rd April, officials at the Ministry of Justice (MoJ) detected suspicious activity in the LAA’s digital systems. Immediate steps were taken to strengthen security, and legal aid practitioners were notified that the online portal would be taken offline as a precaution.
Now, almost a month later, the MoJ has admitted that the group behind the breach accessed and downloaded a ‘significant amount’ of data from legal aid applicants – far more than initially believed.
According to the MoJ, the compromised information could include applicants’ full names, home addresses, dates of birth, National Insurance numbers, criminal records, employment status and financial data, such as legal aid contributions, debts and payments.
Officials are urging anyone who has applied for legal aid over the last 15 years to stay alert for unusual messages or phone calls. The breach affects not only applicants but potentially also legal aid providers whose details may have been stored on the same systems.
Jane Harbottle, the LAA’s Chief Executive, acknowledged the gravity of the breach and issued a public apology:
“I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened,” she said.
Harbottle noted that since the breach was discovered, her team has been working closely with the National Cyber Security Centre to secure the agency’s systems. Despite those efforts, she said the scale of the compromise meant “radical action” was needed – hence the decision to take the online services offline completely.
While contingency measures have been introduced to keep services running, Harbottle praised legal aid providers for their patience and support in what she described as a “deeply challenging time.”
The fallout from the breach has reignited criticism of the LAA’s outdated technology. Richard Atkinson, President of the Law Society of England and Wales, was quick to point out that warnings about the fragility of the system had been raised long before this incident.
“The advice we have received from the LAA has been scarce and inadequate given the scale of this security breach,” he said. “It is the LAA’s responsibility to address the problems with their own system — including contacting all legal aid applicants whose data has been compromised.”
Atkinson described the breach as yet another consequence of chronic underinvestment. He said the current IT system had already prevented necessary reforms, including updates to the means test and interim payments for law firms struggling with delays in the courts. The attack, he warned, “makes further delay untenable.”
The Information Commissioner’s Office has confirmed it is investigating the incident, while cybercrime experts from the National Cyber Security Centre continue to support the response effort. So far, no group has publicly claimed responsibility for the attack.
In the meantime, legal aid services remain partially disrupted. Applicants and providers are being asked to use offline routes while the LAA works to restore secure digital access.
It’s a shocking statistic that everyone who cares about the people in our profession – and the future of the Bar...
COVID-19 created unprecedented operational and security challenges for businesses globally across multiple sectors...
