Data Breach of Legal Aid Applicants in England and Wales
Personal information from hundreds of thousands of legal aid applicants in England and Wales, dating back to 2010, has been accessed and downloaded in serious cyberattacks. This information includes sensitive data such as criminal records and financial details.
Authorities have acknowledged that the breached data may involve personal contact details, dates of birth, national identification numbers, criminal histories, employment statuses, and payment contributions.
According to hackers, they managed to access around 2.1 million pieces of data.
This incident has raised concerns among applicants and legal aid lawyers alike.
A source from the Ministry of Justice indicated that vulnerabilities in the Legal Aid Agency (LAA) system have been known for years, attributing the breach to the “negligence and mismanagement” of the previous government.
“These data breaches were a result of years of neglect and mismanagement in the judicial system under the last administration,” the source stated. “They were aware of the weaknesses in the legal aid agency’s digital framework but failed to take action.”
The Ministry reported noticing a cyberattack targeting the LAA’s digital service on April 23, but by the following Friday, it became apparent that the impact was broader than initially understood.
The LAA’s online services, which legal aid providers use to log their work and receive payments from the government, are currently offline.
The Ministry confirmed that:
“This data may contain financial information, including applicants’ contact details, birth dates, national ID numbers, criminal histories, employment status, contributions, liabilities, and payments.”
They urged all individuals seeking legal assistance during this time to take precautions, like being vigilant about unexpected messages or calls, and to change any potentially exposed passwords.
“If you have any doubts about someone you’re communicating with online or via phone, be sure to independently verify their identity before sharing any information.”
The Ministry is collaborating with the National Crime Agency and the National Cybersecurity Centre and has informed the intelligence committee about the situation.
Jane Harbottle, the CEO of LAA, expressed her apologies for the breach. “I realize this news can be quite shocking and distressing,” she said. “Since we discovered the attack, my team has been working tirelessly with the National Cybersecurity Centre to strengthen our systems.”
“However, it’s clear we need to take decisive action to safeguard the service and its users, which is why we have decided to take the online service offline for now,” she added.
Harbottle also mentioned that a contingency plan is in place to ensure those needing legal aid still have access to support.
In 2023, the Law Society urged the government to invest in the LAA’s digital system, describing it as “incompatible and fragile.” A recent statement from the Law Association pointed out that the LAA’s outdated IT systems exemplify a long-term neglect of the judicial system.
