Legal Aid Agency: Cybersecurity Incident Debate
Full Debate: Read Full DebateDepartment: Ministry of Justice
Lord Keen of Elie
Main Page: Lord Keen of Elie (Conservative - Life peer)Department Debates - View all Lord Keen of Elie's debates with the Ministry of Justice
Legal Aid Agency: Cybersecurity Incident
Lord Keen of Elie Excerpts(1 day, 17 hours ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Keen of Elie (Con)
My Lords, while the Government Benches may criticise the role of successive Governments in preventing cyberattacks, we must not lose sight of where the true blame lies. The primary responsibility for this deeply troubling incident rests with the malicious individuals who orchestrated it.
This was not merely a digital intrusion; it was a direct assault on some of the most vulnerable members of our society. The data accessed is, in many cases, highly sensitive—it includes medical and other personal records—and the scale and nature of the information compromised over a period, apparently, from 2010, may mark this as one of the more serious data breaches that the Government have suffered in recent years.
Given the gravity of the situation, will the Minister confirm how many individuals have been affected? How are the Government supporting the individuals whose data has been exposed? Is he able to confirm the possible motive and identity of the attackers? Has there, for example, been any form of ransom demand from those who perpetrated this act? We welcome the involvement of the National Crime Agency and the National Cyber Security Centre. Their expertise will be essential. Clearly, it is imperative that those responsible for this breach are held to account and brought to justice.
Significant concerns remain regarding the Government’s handling of this matter. I therefore seek clarity from the Minister on a number of issues. Why were Parliament and the public not informed immediately when the breach was discovered on 23 April? We now understand that the data access may include information dating back to 2010, as I said before, and that over 2 million records may have been compromised. The delay of almost a month before this was made public may have prevented individuals taking timely steps to protect themselves from potential risks. Was there a failure to properly appreciate the seriousness of this breach?
Further, can the Minister update the House on the status of the operational systems that are vital for processing legal aid and payments to legal professionals? If these systems are not fully restored, how can we expect to return to full functionality? It may seem odd to talk about payment of legal aid to lawyers but, of course, those working in the fields of criminal law and family law, which are severely underfunded in many respects, will find the cash flow from the legal fund vital to their continuing activities. It is therefore important that that issue should also be addressed.
We heard in the other place that the Government believe that the incident has been contained. How did the Government arrive at that conclusion, and could the Minister explain to the House what is meant by “contained”? Will he confirm whether the Ministry of Justice has conducted or intends to conduct a comprehensive risk assessment of its wider digital infrastructure? Will similar assessments be made in other departments to safeguard against future vulnerabilities?
I also ask the Minister to ensure that Parliament receives regular and transparent updates as the investigation progresses. It is critical that we and members of the public should be informed clearly and promptly about the consequences of this breach and how it is being addressed. The breach itself represents a significant failure in the protection of our justice system’s digital infrastructure. That is liable to undermine public trust and raises serious concerns about data security and transparency, so I ask the Government to respond with urgency and openness to this issue.
Finally, I will raise a question about the devolved Administrations. For example, Scotland has its own legal aid structure, as, I believe, Northern Ireland does also, but those structures in turn depend on data from the United Kingdom—for example, access to social security data. Have they been impacted by this event? If so, what liaison has there been with the devolved Administrations to try to minimise the difficulties that they may have been caused by this data breach? I am obliged.
Lord Marks of Henley-on-Thames (LD)
My Lords, this cyberattack and its result have exposed the lamentable insecurity of the Legal Aid Agency data systems. The ramifications are serious. The personal information that goes into legal aid applications and is held by legal aid providers includes much highly confidential material, which can be used by criminals not just to embarrass but to defraud and, in some cases, harass applicants for legal aid. We are told that the attackers in this case accessed residential addresses, contact details, dates of birth, and employment and financial data—indeed, much of the material that identity checkers seek and criminals could profit from. As the noble and learned Lord, Lord Keen of Elie, said, it appears to have affected 2 million items of data and legal aid applications going back as far as 2010. In addition, as became clear in the House of Commons, that information would have included sensitive medical information. Indeed, that must be right, because many applicants for legal aid would include such information with their applications. Can the Minister say whether there are plans to establish a dedicated helpline or other support systems, and if so what support systems, for individuals who may seek advice or protection in the light of this attack?
Of course, our first condemnation is for the callous criminality of the attackers, whose actions exposed so many vulnerable individuals to risk. These cyberattacks appear, according to the Minister in the other place, to have come from organised crime. It would be helpful for the Minister, so far as possible and without jeopardising security, to give an account to the House of what steps the Ministry of Justice takes routinely and has taken in the light of this case to protect the data of those seeking to access legal aid.
This question is similar to one asked by the noble and learned Lord: will the MoJ carry out a full independent inquiry into this attack, and what can be done to restore public confidence in its future cybersecurity arrangements? We understand the need for the Legal Aid Agency’s systems to go offline in the short term, as they have, but can the Government say how long the shutdown of online services is likely to last and how far the legal aid system will be impacted through delays and in reduced ability to deal with its workload?
We should not underestimate the degree to which the MoJ’s IT systems are antiquated, inefficient, insecure and, frankly, unfit for purpose. We on these Benches agree that that results from a neglect of the system over years under the preceding Administration. As the Statement rightly points out, the Law Society has been complaining for years about the outdatedness of our legal aid IT systems. The £20 million promised for updating the agency’s systems will help. However, regrettably, I worry that there is some complacency about the sentence in the Statement that reads:
“At this stage, we believe that the breach is contained to the Legal Aid Agency’s systems; there are no indications that other parts of the justice system have been impacted”.
Can the Minister say whether the Government will now institute a survey of current IT systems across the department to consider their security? Will the department also institute a system of regular cybersecurity audits for the future, to ensure robust defence of its digital systems and to prevent recurrence of this breach?
More widely, this event should act as a wake-up call for government as a whole to investigate how far its IT systems can provide the public with a high standard of data security. We hope that the promised cybersecurity and resilience Bill will bring some improvement, but we will not keep citizens’ data secure without investing the necessary resources. The reality is that we are working with old and inefficient systems that, frankly, grow creakier and creakier, just as the ingenuity and criminality of the potential attackers becomes ever more sophisticated, not least as the value of personal data rises and the potential for its abuse becomes ever greater.
The Statement rightly reminds us that every organisation is at risk from this kind of criminal behaviour and government is not exempt. As a vital part of the social compact, it is a responsibility of government to keep the personal data it holds on individuals secure. If government fails to live up to that responsibility, it rightly forfeits public trust and we concerned are to know, from the Government, how they intend to retain that trust.