Asked by: Chris Bloore (Labour - Redditch)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, whether the Legal Aid Agency informed the Information Commissioner’s Office of the April 2025 data breach within the required statutory timescale; what investigations have been launched by her Department or the ICO into the breach; and whether her Department plans to commission an independent review into the handling of the cyber-attack and the subsequent response by the Legal Aid Agency.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
To ensure we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice as swiftly as possible at 08:15 on 19 May on GOV.UK.
The statement provides information about the cyber-attack and directs concerned members of the public to the National Cyber Security Centre’s webpage, which contains information on how to protect against the impacts of a data breach. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
The published statement referred to above sets out information about who may have been impacted and the categories of data exfiltrated. It remains the case that there is no evidence to suggest that any of the data accessed has been published.
The recent data breach is the result of serious criminal activity, but it was enabled by the fragility of the LAA’s IT systems as a result of long term underinvestment under the last Conservative Government. By contrast, since taking power this Government has prioritised work to reverse the damage of over a decade of under-investment. That includes the allocation of over £20 million in extra funding this year to stabilise and transform the Legal Aid Agency digital services. This investment will make the system more robust and resilient in the face of similar cyber-attacks in future.
The Legal Aid Agency is complying with all legal and regulatory requirements arising from the cyber-attack. The current priority is the restoration of services and the prevention of future attacks. Once we can be assured that our legal aid services are operating properly and handling people’s data in a safe way, there will need to be a stocktake and an effort to learn lessons.
It is too early to comment on what remedial actions, if any, may be appropriate for impacted individuals, whether clients or providers.
Asked by: Chris Bloore (Labour - Redditch)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what steps her Department and the Legal Aid Agency have taken to notify individuals whose personal data was compromised in the April 2025 cyber-attack; whether the Legal Aid Agency has notified affected people directly; and what criteria are being used by the Legal Aid Agency to determine which people are contacted following the breach.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
To ensure we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice as swiftly as possible at 08:15 on 19 May on GOV.UK.
The statement provides information about the cyber-attack and directs concerned members of the public to the National Cyber Security Centre’s webpage, which contains information on how to protect against the impacts of a data breach. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
The published statement referred to above sets out information about who may have been impacted and the categories of data exfiltrated. It remains the case that there is no evidence to suggest that any of the data accessed has been published.
The recent data breach is the result of serious criminal activity, but it was enabled by the fragility of the LAA’s IT systems as a result of long term underinvestment under the last Conservative Government. By contrast, since taking power this Government has prioritised work to reverse the damage of over a decade of under-investment. That includes the allocation of over £20 million in extra funding this year to stabilise and transform the Legal Aid Agency digital services. This investment will make the system more robust and resilient in the face of similar cyber-attacks in future.
The Legal Aid Agency is complying with all legal and regulatory requirements arising from the cyber-attack. The current priority is the restoration of services and the prevention of future attacks. Once we can be assured that our legal aid services are operating properly and handling people’s data in a safe way, there will need to be a stocktake and an effort to learn lessons.
It is too early to comment on what remedial actions, if any, may be appropriate for impacted individuals, whether clients or providers.
Asked by: Chris Bloore (Labour - Redditch)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, how many people were impacted by the cyber-attack on the Legal Aid Agency’s IT systems on 23 April 2025; what categories of (a) personal and (b) sensitive data were (i) accessed and (ii) taken; and what security measures were in place to protect the data of Legal Aid applicants prior to the breach.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
To ensure we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice as swiftly as possible at 08:15 on 19 May on GOV.UK.
The statement provides information about the cyber-attack and directs concerned members of the public to the National Cyber Security Centre’s webpage, which contains information on how to protect against the impacts of a data breach. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
The published statement referred to above sets out information about who may have been impacted and the categories of data exfiltrated. It remains the case that there is no evidence to suggest that any of the data accessed has been published.
The recent data breach is the result of serious criminal activity, but it was enabled by the fragility of the LAA’s IT systems as a result of long term underinvestment under the last Conservative Government. By contrast, since taking power this Government has prioritised work to reverse the damage of over a decade of under-investment. That includes the allocation of over £20 million in extra funding this year to stabilise and transform the Legal Aid Agency digital services. This investment will make the system more robust and resilient in the face of similar cyber-attacks in future.
The Legal Aid Agency is complying with all legal and regulatory requirements arising from the cyber-attack. The current priority is the restoration of services and the prevention of future attacks. Once we can be assured that our legal aid services are operating properly and handling people’s data in a safe way, there will need to be a stocktake and an effort to learn lessons.
It is too early to comment on what remedial actions, if any, may be appropriate for impacted individuals, whether clients or providers.
Asked by: Chris Bloore (Labour - Redditch)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what support is being provided by (a) the Legal Aid Agency and (b) her Department to people whose data was compromised in the April 2025 cyber-attack; and whether those affected have been offered access to (i) credit monitoring, (ii) identity protection services and (iii) any other assistance.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
To ensure we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice as swiftly as possible at 08:15 on 19 May on GOV.UK.
The statement provides information about the cyber-attack and directs concerned members of the public to the National Cyber Security Centre’s webpage, which contains information on how to protect against the impacts of a data breach. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
The published statement referred to above sets out information about who may have been impacted and the categories of data exfiltrated. It remains the case that there is no evidence to suggest that any of the data accessed has been published.
The recent data breach is the result of serious criminal activity, but it was enabled by the fragility of the LAA’s IT systems as a result of long term underinvestment under the last Conservative Government. By contrast, since taking power this Government has prioritised work to reverse the damage of over a decade of under-investment. That includes the allocation of over £20 million in extra funding this year to stabilise and transform the Legal Aid Agency digital services. This investment will make the system more robust and resilient in the face of similar cyber-attacks in future.
The Legal Aid Agency is complying with all legal and regulatory requirements arising from the cyber-attack. The current priority is the restoration of services and the prevention of future attacks. Once we can be assured that our legal aid services are operating properly and handling people’s data in a safe way, there will need to be a stocktake and an effort to learn lessons.
It is too early to comment on what remedial actions, if any, may be appropriate for impacted individuals, whether clients or providers.