Solicitors criticise ‘antiquated’ Legal Aid Agency IT system after cyber attack

The “antiquated” IT system used by the Legal Aid Agency (LAA) has come under fire after a major cyber attack saw potentially millions of pieces of personal data stolen, including criminal records.

A “significant amount of personal data” of people who applied to the agency since 2010 was accessed and downloaded in a cyber attack in April this year, the Ministry of Justice (MoJ) has said.

Those eligible to apply for legal aid include domestic violence and modern slavery victims, people involved in cases in the family court, as well as those accused of criminal offences.

Lawyers are also concerned wealthy individuals who used a duty solicitor when questioned by police but were not later charged could end up at risk of being blackmailed.

The group that carried out the attack has claimed it accessed 2.1 million pieces of data but the MoJ has not verified that figure.

Richard Atkinson, president of the Law Society of England and Wales, a professional body that represents solicitors, said: “It is extremely concerning that members of the public have had their personal data compromised in this cyber security incident and the LAA must get a grip on the situation immediately.

“The incident once again demonstrates the need for sustained investment to bring the LAA’s antiquated IT system up to date and ensure the public have continued trust in the justice system.

“The fragility of the IT system has prevented vital reforms, including updates to the means test that could help millions more access legal aid, and interim payments for firms whose cash flow is being decimated by the backlogs in the courts, through no fault of their own.

“If it is now also proving vulnerable to cyber attack, further delay is untenable.

“Legal aid firms are small businesses providing an important public service and are operating on the margins of financial viability. Given that vulnerability, these financial security concerns are the last thing they need.”

The National Crime Agency is investigating the breach. It is understood that so far there is not believed to be any link to the cyber attacks on Marks and Spencer, the Co-op and Harrods, but investigators are keeping an open mind.

The Government became aware of a cyber attack on the LAA’s online digital services on April 23, but realised on Friday that it was more extensive than originally thought.

The data accessed may include contact details and addresses of legal aid applicants, their dates of birth, national insurance numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.

Officials will try to contact anyone identified in the data believed to be at significant risk of harm.

The LAA’s online digital services, which are used by legal aid providers to log their work and get paid by the Government, have been taken offline.

An MoJ source put the breach down to the “neglect and mismanagement” of the previous government, saying vulnerabilities in the LAA’s systems have been known for many years.

“This data breach was made possible by the long years of neglect and mismanagement of the justice system under the last government.

“They knew about the vulnerabilities of the LAA digital systems, but did not act,” the source said.

It is understood the attack happened as the MoJ has been working on replacing the internal system with a new version hoped to be up and running in the coming weeks.

Speaking in the House of Commons on Monday, minister Sarah Sackman said she was “shocked” how fragile the legal aid system was when she took up her job and that work was under way to stabilise the digital systems.

There is no indication so far that any other government systems have been affected by the breach, she said.

The MoJ is urging anyone who has applied for legal aid since 2010 to be alert for unknown messages and phone calls and to update any passwords that could have been exposed.

The ministry has been working with the National Crime Agency and the National Cyber Security Centre, and has informed the Information Commissioner.

Legal Aid Agency chief executive Jane Harbottle apologised for the breach.

“I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened.

“Since the discovery of the attack, my team has been working around the clock with the National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency.

“However, it has become clear that, to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down,” she said.

Ms Harbottle said contingency plans are in place to make sure those in need of legal support and advice can continue to access it.

Reacting to the attack, global cyber security adviser Jake Moore, from software company ESET, said it highlights how critical it is for public bodies to invest in stronger cyber defences and be transparent immediately when things go wrong.

“When criminal records and other sensitive personal data are exposed, it is not just a matter of IT failure, it’s a breach of trust, privacy, and even safety in this case,” he said.

“Many of the individuals affected may already be in vulnerable situations and could now face the added stress of not knowing where their data will end up or how it might be used.

“Delays in notifying victims or vague reassurances can often worsen the damage whether it’s a Government agency or private company.”

Helen Morris, partner and head of reputation management at law firm Kingsley Napley, said: “Allegations of criminality pose some of the most serious threats to reputation.

“Today’s data-breach will be of concern to anyone who has been arrested since 2010 and who has had an application for public funding made in their name. This could include those who were initially allocated a duty solicitor even if they then changed to privately-funded advice.

“Such a breach is particularly concerning for those who were interviewed by the police but were never charged and the fact of the investigation never came into the public domain.

“The possession of this highly-sensitive information in the wrong hands could make any individual subject to blackmail threats, but high net worth individuals or those who otherwise have a public profile are obviously particularly vulnerable to be targeted.”

She said the right to privacy in a police investigation has been legally established and injunctions can be sought if needed.