The group behind a recent cyber-attack on the Legal Aid Agency has accessed a ‘significant amount’ of applicants’ personal data, the government admitted this morning.
Earlier this month legal aid practitioners were notified about a ‘security incident’ that prompted the LAA to take its online portal offline as part of work to protect information.
Today, the Ministry of Justice confirmed the incident was ‘more extensive than originally understood’. The MoJ became aware of a ‘cyber attack’ on the LAA’s online digital services on 23 April, immediately took action to bolster the system’s security and informed practitioners that some of their details may have been compromised.
However, on 16 May, the MoJ discovered that the attack was ‘more extensive than originally understood and that the group behind it had accessed a large amount of information relating to legal aid applicants’.
‘We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010.
'This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers [national insurance], criminal history, employment status and financial data such as contribution amounts, debts and payments,’ the MoJ said.
Legal aid applicants have been urged to stay alert for any suspicious activity, such as unknown messages and phone calls.
LAA chief executive Jane Harbottle said: ‘I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened. Since the discovery of the attack, my team has been working around the clock with the National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency.
‘However, it has become clear that to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down. We have put in place the necessary contingency plans to ensure those most in need of legal support and advice can continue to access the help they need during this time.
‘I am incredibly grateful to legal aid providers for their patience and cooperation at a deeply challenging time. We will provide further updates shortly.'
The Information Commissioner's Office confirmed this morning that it was notified of the breach by the Ministry of Justice 'and we are making enquiries'.
Law Society president Richard Atkinson said: 'The advice we have received from the LAA has been scarce and inadequate given the scale of this security breach. It is the LAA’s responsibility to address the problems with their own system including contacting all the legal aid applicants whose data has been compromised.'
Atkinson said the incident once against demonstrated the need for sustained investment to bring the LAA's 'antiquated' IT systems up to date.
'The fragility of the IT system has prevented vital reforms, including updates to the means test that could help millions more access legal aid, and interim payments for firms whose cashflow is being decimated by the backlogs in the courts, through no fault of their own. If it is now also proving vulnerable to cyber attack, further delay is untenable,' he added.
'Legal aid firms are small businesses providing an important public service and are operating on the margins of financial viability. Given that vulnerability, these financial security concerns are the last thing they need.'
13 Readers' comments