A “significant amount of personal data” of people who applied to the Legal Aid Agency – including criminal records – was accessed and downloaded by hackers, the Ministry of Justice (MoJ) has said.
The group that carried out the cyber attack says it accessed 2.1 million pieces of data, but the MoJ has not verified that figure, it is understood.
The government became aware of the incident on 23 April, but realised on Friday it was more extensive than first thought.
An MoJ source put the breach down to the “neglect and mismanagement” of the previous government, saying vulnerabilities in the Legal Aid Agency systems have been known for many years.
The Legal Aid Agency (LAA), is an executive agency, sponsored by the MoJ, which is responsible for administering legal aid funding – around £2.3bn in 2023/24.
The data accessed affected those who applied for legal aid in the last 15 years, and may include contact details and addresses of legal aid applicants, their dates of birth, national insurance numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.
The MoJ has urged anyone who applied for legal aid since 2010 to update any passwords that could have been exposed, and be alert to unknown messages and phone calls.
The organisation’s digital services, which are used by legal aid providers to log their work and get paid, have been taken offline.
‘We needed to take radical action’
Legal Aid Agency chief executive Jane Harbottle has apologised for the breach and acknowledged the news would be “shocking and upsetting”.
“Since the discovery of the attack, my team has been working around the clock with the National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency,” she said.
“However, it has become clear that, to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down,” she said.
Ms Harbottle said contingency plans are in place for those who need legal support and advice.
The Ministry of Justice (MoJ) said it is working with the National Crime Agency and National Cyber Security Centre to investigate the data breach.
The National Crime Agency said it was aware of the incident and was working closely with the MoJ to “better understand the incident and support the department”.
It comes after retailers Co-op, Harrods and Marks & Spencer were hit by cyber attacks, although there is no suggestion that they are connected to the incident at the LAA.