UK Legal Aid Agency Hit by Cyberattack, Sensitive Data Stolen

The UK Legal Aid Agency has suffered a major cyberattack, with “significant” sensitive data, including criminal records, stolen. The MoJ is investigating, and data dating back to 2010 may be affected.

The United Kingdom’s Ministry of Justice (MoJ) has confirmed that a significant cyberattack targeted the Legal Aid system, resulting in the theft of a substantial amount of data, including sensitive criminal records. Reportedly, the MoJ became aware of the security breach on April 23rd when unauthorized access to data stretching back to 2010 was detected.

This incident is the latest in a series of cyberattacks, causing mass disruption. Recently, Harrods restricted internet access to its sites after a cyberattack, Marks & Spencer lost millions of pounds due to an attack that disrupted its services, while Co-op shut down parts of its IT systems and disrupted fresh stock deliveries following a similar incident.

Initial reports earlier in May from the MoJ described an ongoing “security incident” with potential access to payment details. Initially, the MoJ had indicated a “security incident” under investigation, suggesting potential access to payment details. However, the scope of the attack appears far more serious.

While the exact figure of 2.1 million records cited by the group claiming responsibility remains unconfirmed by the Ministry, they acknowledge that a “significant amount” of data was stolen. However, the Ministry believes it is the work of a criminal gang rather than a state-sponsored actor.

This stolen data may include a range of highly sensitive personal details belonging to legal aid applicants, such as contact information, dates of birth, national identification numbers, criminal histories, employment statuses, and financial data like contribution amounts, debts, and payments. it is also likely that the attackers gained access to information related to barristers, solicitors, and various organizations, including non-profit entities, that work with the Legal Aid Agency.

The head of the Legal Aid Agency, Jane Harbottle, has expressed regret and apologized for the incident, stating she understands the news “will be shocking and upsetting for people.”

The MoJ is now working alongside the National Crime Agency and the National Cyber Security Centre to secure their compromised systems. The UK’s data protection authority, the Information Commissioner, has also been informed.

In a comment to Hackread.com, Wayne Cleghorn, Data Protection and Cybersecurity Partner at Excello Law, in London stated, “Cyberattacks of all kinds are rising. Any type of organisation can be a victim. The urgent response is to go back to basics: check key data protection practices, review GDPR compliance, strengthen basic information security safeguards and encourage important suppliers to be on high alert”

“The problem with data breaches of highly sensitive and special category data is not just the immediate exposure and vulnerabilities caused, it is the unknown future nefarious uses of the stolen data, which can be surprising and very harmful to all involved,“ Wayne warned.

For your information, the Legal Aid Agency plays a crucial role in the UK’s justice system, providing funding to over 2,000 legal aid providers. In the 2023/24 period alone, the agency administered approximately £2.3 billion. As a direct consequence of the cyberattack, the agency’s online digital services have been taken offline.

The MoJ has urged individuals who have applied for legal aid since 2010 to take proactive measures to protect themselves. These include being cautious about unsolicited calls and text messages and updating weak passwords. Furthermore, the agency advises the public to independently verify their identity before providing any information if they doubt the legitimacy of digital or phone communications.