Millions of pieces of personal data, including criminal records, have been stolen from legal aid applicants in a massive cyberattack.
The data, including national insurance numbers, employment status and financial data, was breached earlier this year, according to the Ministry of Justice (MoJ).
The cyberattackers claimed they had stolen 2.1 million pieces of data from people who had applied for legal aid since 2010 but the MoJ only said a “significant amount of personal data” had been breached.
An MoJ source put the breach down to the “neglect and mismanagement” of the previous government, saying vulnerabilities in the Legal Aid Agency (LAA) systems have been known for many years.
“This data breach was made possible by the long years of neglect and mismanagement of the justice system under the last government,” the source said.
“They knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act.”
The government became aware of a cyberattack on the LAA’s online digital services on 23 April, but realised on Friday that it was more extensive than originally thought.
The MoJ is urging anyone who has applied for legal aid since 2010 to be alert for unknown messages and phone calls and to update any passwords that could have been exposed.
LAA chief executive Jane Harbottle apologised for the breach. “I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened,” she said.
“Since the discovery of the attack, my team has been working around the clock with the National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency.
“However, it has become clear that, to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down.”
Ms Harbottle said contingency plans are in place to make sure those in need of legal support and advice can continue to access it.
Richard Atkinson, president of the Law Society of England and Wales, called for the LAA to “get a grip” on the situation immediately.
“The incident once again demonstrates the need for sustained investment to bring the LAA’s antiquated IT system up to date and ensure the public have continued trust in the justice system,” he added.
“The fragility of the IT system has prevented vital reforms, including updates to the means test that could help millions more access legal aid, and interim payments for firms whose cashflow is being decimated by the backlogs in the courts, through no fault of their own. If it is now also proving vulnerable to cyberattack, further delay is untenable.
“Legal aid firms are small businesses providing an important public service and are operating on the margins of financial viability. Given that vulnerability, these financial security concerns are the last thing they need.”
The LAA is an MoJ-backed agency set up in 2013 to “ensure fair, prompt and effective access to civil and criminal legal aid”, according to the ministry.
The LAA’s online digital services, which are used by legal aid providers to log their work and get paid by the government, have been taken offline.
The MoJ said it has been working with the National Crime Agency and the National Cyber Security Centre, and has informed the information commissioner.
