The government did not have a digital disaster recovery plan in place for the Legal Aid Agency despite knowing since 2021 that the agency's IT systems were vulnerable to attack, it has emerged.
The agency’s systems were hacked on 31 December 2024, with the cyber attack detected during routine checks in April. The system was shut down the following month after a notification from the attacker was received.
LAA deputy chief executive Jane Harbottle told MPs last autumn that the legal aid system had been on the government's risk register as a vulnerability since 2021 and was rated 'extremely high risk'. Asked by Labour’s Marie Rimmer last month about the adequacy of disaster recovering planning at the LAA prior to the attack, justice minister Sarah Sackman revealed there was no digital disaster recovery plan.
Read more
‘However, had we had a fully funded disaster recovery system, any immediate restoration would have simply restored the systems without resolving the vulnerabilities that enabled the cyber attack to occur,’ Sackman said in a written ministerial response.
Sackman said responsibility for disaster recovery planning lay with Justice Digital, not the LAA. Justice Digital now has a ‘service owner structure’ in place and every digital product has a disaster recovery plan.
But Sackman said the LAA had business continuity plans to maintain access to justice during system outages. ‘These plans were tried and tested, and we were confident that the measures would be effective for our initial response. These measures gave us sufficient time to design and implement longer term measures to meet the specific needs of the incident that were introduced in June 2025,’ Sackman said.
This article is now closed for comment.
15 Readers' comments