Legal Aid Agency: Cybersecurity Incident
(1 day, 22 hours ago)
Lords ChamberRead Hansard Text Read Debate Ministerial Extracts
Lord Keen of Elie (Con)
My Lords, while the Government Benches may criticise the role of successive Governments in preventing cyberattacks, we must not lose sight of where the true blame lies. The primary responsibility for this deeply troubling incident rests with the malicious individuals who orchestrated it.
This was not merely a digital intrusion; it was a direct assault on some of the most vulnerable members of our society. The data accessed is, in many cases, highly sensitive—it includes medical and other personal records—and the scale and nature of the information compromised over a period, apparently, from 2010, may mark this as one of the more serious data breaches that the Government have suffered in recent years.
Given the gravity of the situation, will the Minister confirm how many individuals have been affected? How are the Government supporting the individuals whose data has been exposed? Is he able to confirm the possible motive and identity of the attackers? Has there, for example, been any form of ransom demand from those who perpetrated this act? We welcome the involvement of the National Crime Agency and the National Cyber Security Centre. Their expertise will be essential. Clearly, it is imperative that those responsible for this breach are held to account and brought to justice.
Significant concerns remain regarding the Government’s handling of this matter. I therefore seek clarity from the Minister on a number of issues. Why were Parliament and the public not informed immediately when the breach was discovered on 23 April? We now understand that the data access may include information dating back to 2010, as I said before, and that over 2 million records may have been compromised. The delay of almost a month before this was made public may have prevented individuals taking timely steps to protect themselves from potential risks. Was there a failure to properly appreciate the seriousness of this breach?
Further, can the Minister update the House on the status of the operational systems that are vital for processing legal aid and payments to legal professionals? If these systems are not fully restored, how can we expect to return to full functionality? It may seem odd to talk about payment of legal aid to lawyers but, of course, those working in the fields of criminal law and family law, which are severely underfunded in many respects, will find the cash flow from the legal fund vital to their continuing activities. It is therefore important that that issue should also be addressed.
We heard in the other place that the Government believe that the incident has been contained. How did the Government arrive at that conclusion, and could the Minister explain to the House what is meant by “contained”? Will he confirm whether the Ministry of Justice has conducted or intends to conduct a comprehensive risk assessment of its wider digital infrastructure? Will similar assessments be made in other departments to safeguard against future vulnerabilities?
I also ask the Minister to ensure that Parliament receives regular and transparent updates as the investigation progresses. It is critical that we and members of the public should be informed clearly and promptly about the consequences of this breach and how it is being addressed. The breach itself represents a significant failure in the protection of our justice system’s digital infrastructure. That is liable to undermine public trust and raises serious concerns about data security and transparency, so I ask the Government to respond with urgency and openness to this issue.
Finally, I will raise a question about the devolved Administrations. For example, Scotland has its own legal aid structure, as, I believe, Northern Ireland does also, but those structures in turn depend on data from the United Kingdom—for example, access to social security data. Have they been impacted by this event? If so, what liaison has there been with the devolved Administrations to try to minimise the difficulties that they may have been caused by this data breach? I am obliged.
Lord Marks of Henley-on-Thames (LD)
My Lords, this cyberattack and its result have exposed the lamentable insecurity of the Legal Aid Agency data systems. The ramifications are serious. The personal information that goes into legal aid applications and is held by legal aid providers includes much highly confidential material, which can be used by criminals not just to embarrass but to defraud and, in some cases, harass applicants for legal aid. We are told that the attackers in this case accessed residential addresses, contact details, dates of birth, and employment and financial data—indeed, much of the material that identity checkers seek and criminals could profit from. As the noble and learned Lord, Lord Keen of Elie, said, it appears to have affected 2 million items of data and legal aid applications going back as far as 2010. In addition, as became clear in the House of Commons, that information would have included sensitive medical information. Indeed, that must be right, because many applicants for legal aid would include such information with their applications. Can the Minister say whether there are plans to establish a dedicated helpline or other support systems, and if so what support systems, for individuals who may seek advice or protection in the light of this attack?
Of course, our first condemnation is for the callous criminality of the attackers, whose actions exposed so many vulnerable individuals to risk. These cyberattacks appear, according to the Minister in the other place, to have come from organised crime. It would be helpful for the Minister, so far as possible and without jeopardising security, to give an account to the House of what steps the Ministry of Justice takes routinely and has taken in the light of this case to protect the data of those seeking to access legal aid.
This question is similar to one asked by the noble and learned Lord: will the MoJ carry out a full independent inquiry into this attack, and what can be done to restore public confidence in its future cybersecurity arrangements? We understand the need for the Legal Aid Agency’s systems to go offline in the short term, as they have, but can the Government say how long the shutdown of online services is likely to last and how far the legal aid system will be impacted through delays and in reduced ability to deal with its workload?
We should not underestimate the degree to which the MoJ’s IT systems are antiquated, inefficient, insecure and, frankly, unfit for purpose. We on these Benches agree that that results from a neglect of the system over years under the preceding Administration. As the Statement rightly points out, the Law Society has been complaining for years about the outdatedness of our legal aid IT systems. The £20 million promised for updating the agency’s systems will help. However, regrettably, I worry that there is some complacency about the sentence in the Statement that reads:
“At this stage, we believe that the breach is contained to the Legal Aid Agency’s systems; there are no indications that other parts of the justice system have been impacted”.
Can the Minister say whether the Government will now institute a survey of current IT systems across the department to consider their security? Will the department also institute a system of regular cybersecurity audits for the future, to ensure robust defence of its digital systems and to prevent recurrence of this breach?
More widely, this event should act as a wake-up call for government as a whole to investigate how far its IT systems can provide the public with a high standard of data security. We hope that the promised cybersecurity and resilience Bill will bring some improvement, but we will not keep citizens’ data secure without investing the necessary resources. The reality is that we are working with old and inefficient systems that, frankly, grow creakier and creakier, just as the ingenuity and criminality of the potential attackers becomes ever more sophisticated, not least as the value of personal data rises and the potential for its abuse becomes ever greater.
The Statement rightly reminds us that every organisation is at risk from this kind of criminal behaviour and government is not exempt. As a vital part of the social compact, it is a responsibility of government to keep the personal data it holds on individuals secure. If government fails to live up to that responsibility, it rightly forfeits public trust and we concerned are to know, from the Government, how they intend to retain that trust.
The Parliamentary Under-Secretary of State, Ministry of Justice (Lord Ponsonby of Shulbrede) (Lab)
I thank both the noble and learned Lord and the noble Lord for their questions. I will endeavour to answer them as fully as I can. I say at the outset that I share their sense of concern about this breach. It is undoubtedly very serious—one of the more serious ones that have happened to Governments in recent years. I agree, of course, with the point that the noble and learned Lord made, that the primary responsibility is with the criminals who themselves undertook this hacking of the LAF systems.
I want to check and correct one point made by the noble and learned Lord, Lord Keen. He spoke about medical records. As far as we are aware, there are no medical records contained within this system. There is other information available, which is, of course, a great cause for concern, but there are no medical records that we are aware of.
The noble and learned Lord asked when Ministers were first made aware of this breach. The departmental staff stood up an immediate operational response upon being made aware and ministerial colleagues and I have been updated throughout. There is a cross-departmental response under way. But it is fair to say that the seriousness of the breach became evident only some time after we were made aware of the initial breach. It was when the situation worsened that it was decided to put the information in the public domain and report the incident to Parliament.
Noble Lords asked how many people have been affected. We have not put forward a number as such. However, they are right to say that we are talking about all the data going back to 2010. That is many thousands of people. The nature of the data is, indeed, personal and people need to take remedial action if they have had interactions with the Legal Aid Agency to make sure that their data is not compromised. So, if people try to contact them on numbers they do not recognise and so forth, they need to be suspicious and careful.
Another central question was about what the Government are advising people to do if they think they may be victims of this theft of data. The primary port of contact will be the providers themselves—the lawyers and barristers who have been using the Legal Aid Agency. They will be in a better position to advise the people who may be victims. However, if we are made aware of individual people who are particularly vulnerable, the MoJ or the Legal Aid Agency will also endeavour to contact them directly. But the primary source of information will be from the providers themselves.
The noble and learned Lord asked me to comment on the nature of the attack. I cannot do that because there is a criminal investigation under way. I will not comment or speculate on the motive either.
Both noble Lords asked about the current operational system. The current system is offline. We hope to get it online as soon as possible, but I am not in a position to give any commitment on that front. I can say that there are systems in place to ensure that the providers themselves will get paid, so that they can continue to work, but it will be a reduced method of payment. I do not mean that the amount of money is less but there will be less systemisation within the payment, if I may put it like that. Nevertheless, the payments will be made in the immediate future.
I reassure noble Lords that all the various government agencies have been informed about this. There is an ongoing risk assessment and there will be an update to Parliament when appropriate.
I can also tell the noble and learned Lord that the devolved Administrations in Northern Ireland and Scotland have been informed and are well aware of this. Although, as he rightly observed, they have stand-alone systems, there is overlap between the two systems. So, although their own systems will not be affected by this, it may be that they will have more restricted access to data from the Legal Aid Agency, which covers England and Wales.
The noble Lord, Lord Marks, asked about a full independent inquiry. I cannot make that commitment, but I can absolutely say that this is being taken extremely seriously across government. There has been a review of systems in other parts of government and, as far as we know, there are no similar hacking attacks in other parts of government, although of course one should not be complacent about these things. I am absolutely sure that these reviews of the other systems will be ongoing, just to check that no future hacks become apparent.
I do not think it is fair for the noble Lord, Lord Marks, to say that there was a degree of complacency in the statement that we believe the breach is contained; that is an honestly held belief. The many professionals involved in containing this particular breach, but also looking across government, are very acutely aware of how systems need to be updated and kept under review, and there needs to be investment. The noble Lord mentioned the sum of money the Government are going to invest, but it is worth repeating the point made by my honourable friend Sarah Sackman that this breach came to light only because of the extra money we are currently putting into the system. It would not have come to light without that additional investment. But, of course, we want to go further, and we need to go further to make sure that the systems are updated as far as possible.
I do not want to make the obvious political points about the legacy systems. I think we all understand the position we are in. Nevertheless, this is a serious matter, we are not at the end of the road yet and I absolutely undertake that we will keep Parliament informed as the situation develops.