Legal Aid Agency: Cyber-security Incident Debate
Full Debate: Read Full DebateDepartment: Ministry of Justice
Kieran Mullan
Main Page: Kieran Mullan (Conservative - Bexhill and Battle)Department Debates - View all Kieran Mullan's debates with the Ministry of Justice
Legal Aid Agency: Cyber-security Incident
Kieran Mullan Excerpts(1 day, 19 hours ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Dr Kieran Mullan (Bexhill and Battle) (Con)
I thank the Minister for advance sight of her statement, although it was pretty disappointing to hear her deliver it as written. Before I had seen her statement, I drafted one of my own. In it, I was clear that I would limit my party political remarks, and thinking that the Minister would devote a significant part of her statement to condemning the immoral, malicious, criminal actors who are responsible for this attack, I intended to begin with strong words of support for what she said. However, if Members listened closely, they would have heard that she devoted most of her time to party political attacks, and managed barely one sentence of condemnation. I suggest that she looks at her statement when she leaves the Chamber, and reflects on that.
I will say what the Minister should have said to all those worried by what has happened, including those who may be victims of fraud as a result, and taxpayers who will pick up the bill: we should never lose sight of the fact that whatever the role of any Government, past or present, in unsuccessfully defending against such attacks, the primary responsibility for this lies with the despicable criminals who carried it out. This was not just an attack on a digital system; it was an attack on some of the most vulnerable in our society. Their data is deeply personal in some cases, given that sensitive medical records have been exposed. It is utterly appalling. We welcome the fact that the National Crime Agency and the National Cyber Security Centre are involved, and I hope that the Minister will agree that those behind this breach must be brought to justice. Nothing should stand in the way of full accountability for this crime.
Addressing the actions of those behind the attack is paramount. The Minister may seek to focus blame on a previous Government, but I have questions about this Government’s response. First, why was the decision taken not to inform the House and the public about the breach when it was first discovered on 23 April? We now learn that the impact may extend to those who made applications as far back as 2010, and that more than 2 million pieces of information have been accessed. The delay of nearly a month in notifying the public and/or understanding the nature of the attack could have hindered individuals from taking necessary steps to protect themselves from potential harm, such as fraud or harassment.
Secondly, the Minister mentioned taking systems offline that are crucial for legal professional payments. Can she provide a clear update on the operational status of those systems? If they are not yet fully functional, what is the estimated timeline for their restoration? She mentioned contingency plans; could she tell us more about their nature? Thirdly, can she share any information about the origin of this attack? Is it believed to be a state-linked criminal enterprise? Fourthly, has the Ministry of Justice initiated a thorough risk assessment of its other digital systems, and digital systems across Government more widely? She says that the Government believe that the attack is contained, but on what basis has she reached that conclusion?
Fifthly, the Minister talked about the £20 million set aside for delivering improved systems. She will know the challenges that previous Governments faced in attempting to upgrade those systems. What specific improvements will be achieved by this funding, and when? Finally, will the Minister give a commitment to full transparency for the House, through regular updates as the investigations progress? She mentioned seeking to make the public more aware of the issue, so that people know if they might be affected. Will she ensure that those affected by this breach are directly contacted and offered appropriate support? Will she reiterate the Government’s commitment to ensuring that those responsible are brought to justice? The security of our justice system, public confidence and the wellbeing of vulnerable individuals depend on a robust and transparent response to this serious incident.
Sarah Sackman
The hon. Member is right to say that those responsible for this attack on our justice system are criminals—no ifs, no buts. What they have perpetrated on our legal aid systems is not only dangerous; it exposes the data of legal aid providers and applicants. The threats made to the Government are entirely unacceptable and malicious, and the Government will be robust in their response and in pursuing justice; I think I made that clear in my statement.
It is important that we are honest and frank about the vulnerability of the legacy IT systems that support our legal aid system. The vulnerability of that system exposed both legal aid providers and end users—as the hon. Member says, some of the most vulnerable people in our society—to unacceptable risk. I am focused on the short term and eliminating the threat, but also on the long term, on investing in resilience, and on the rescue and transformation of the platforms, so that we who are responsible for the legal aid system and our wider justice system do not expose people to that risk again.
The hon. Member asks why the House was not informed when Ministers were informed, in late April. The reason for that is simple: when Ministers were first informed about the exposure of the Legal Aid Agency’s digital platforms to this risk, the full extent of the risk, and the nature and extent of the data put at risk, were not fully understood. As a Minister, I have competing responsibilities. I have a responsibility to keep the legal aid system going—to ensure that those who need to access legal support can do so, and that those providing legal aid to vulnerable clients are paid. At that point, given the understood risk, the responsibility to keep the system going outweighed any need to inform the House of the exposure of the system. However, the most important people in the system—the legal aid providers and, by extension, their clients—were informed, as was the Information Commissioner, whom we are legally obliged to inform. When the greater extent of the risk became known, we promptly and transparently informed the House of the position. That was a transparent and proportionate response to our understanding of the evolving criminal theat.
The shadow Minister asked about the restoration of the system. The system has been closed down to negate the threat and prevent further exposure of legal aid providers and users. We will not reopen the system until we are satisfied that it is safe to do so. As he will understand, I cannot comment further on this live and sensitive situation. However, I can assure him that we have put in place contingency plans to ensure that those who need to apply for legal support in the coming days and weeks, and those who are currently accessing legal aid, can provide information to the legal aid agencies through alternative means, so that we can keep the show on the road.
The shadow Minister asks about wider Government exposure to any risks. As I have mentioned, regrettably, Government Departments, local authorities, universities and our best-known businesses are exposed to the sort of criminal activity that the Legal Aid Agency has experienced, but from what we know, this attack is confined to the Legal Aid Agency, and goes no wider than that. He asks about our long-term plans. As I have said, our long-term plans involve a significant investment of £20 million to stabilise and transform the service. Indeed, we know about today’s threat partly because of the investment that we have made since we came into government. We discovered the threat and became alive to the fact that hackers were infiltrating the system partly because of the work that we were doing to stabilise and transform the system. That work has to continue. The Lord Chancellor and I will look at whether we can expedite some of that work to bake resilience into the system.
The shadow Minister asked about full transparency and keeping the House up to date. As I said, I will provide a written update in due course, and today I can undertake to provide full transparency. Legal aid providers have been kept fully informed along the way, as have our professional bodies, such as the Law Society and the Bar Council, many of which are legal aid providers. That is because we need all of them, working in a robust system, to deliver the justice and legal aid that people so sorely need.