Lord Keen of Elie (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, while the Government Benches may criticise the role of successive Governments in preventing cyberattacks, we must not lose sight of where the true blame lies. The primary responsibility for this deeply troubling incident rests with the malicious individuals who orchestrated it.

This was not merely a digital intrusion; it was a direct assault on some of the most vulnerable members of our society. The data accessed is, in many cases, highly sensitive—it includes medical and other personal records—and the scale and nature of the information compromised over a period, apparently, from 2010, may mark this as one of the more serious data breaches that the Government have suffered in recent years.

Given the gravity of the situation, will the Minister confirm how many individuals have been affected? How are the Government supporting the individuals whose data has been exposed? Is he able to confirm the possible motive and identity of the attackers? Has there, for example, been any form of ransom demand from those who perpetrated this act? We welcome the involvement of the National Crime Agency and the National Cyber Security Centre. Their expertise will be essential. Clearly, it is imperative that those responsible for this breach are held to account and brought to justice.

Significant concerns remain regarding the Government’s handling of this matter. I therefore seek clarity from the Minister on a number of issues. Why were Parliament and the public not informed immediately when the breach was discovered on 23 April? We now understand that the data access may include information dating back to 2010, as I said before, and that over 2 million records may have been compromised. The delay of almost a month before this was made public may have prevented individuals taking timely steps to protect themselves from potential risks. Was there a failure to properly appreciate the seriousness of this breach?

Further, can the Minister update the House on the status of the operational systems that are vital for processing legal aid and payments to legal professionals? If these systems are not fully restored, how can we expect to return to full functionality? It may seem odd to talk about payment of legal aid to lawyers but, of course, those working in the fields of criminal law and family law, which are severely underfunded in many respects, will find the cash flow from the legal fund vital to their continuing activities. It is therefore important that that issue should also be addressed.

We heard in the other place that the Government believe that the incident has been contained. How did the Government arrive at that conclusion, and could the Minister explain to the House what is meant by “contained”? Will he confirm whether the Ministry of Justice has conducted or intends to conduct a comprehensive risk assessment of its wider digital infrastructure? Will similar assessments be made in other departments to safeguard against future vulnerabilities?

I also ask the Minister to ensure that Parliament receives regular and transparent updates as the investigation progresses. It is critical that we and members of the public should be informed clearly and promptly about the consequences of this breach and how it is being addressed. The breach itself represents a significant failure in the protection of our justice system’s digital infrastructure. That is liable to undermine public trust and raises serious concerns about data security and transparency, so I ask the Government to respond with urgency and openness to this issue.

Finally, I will raise a question about the devolved Administrations. For example, Scotland has its own legal aid structure, as, I believe, Northern Ireland does also, but those structures in turn depend on data from the United Kingdom—for example, access to social security data. Have they been impacted by this event? If so, what liaison has there been with the devolved Administrations to try to minimise the difficulties that they may have been caused by this data breach? I am obliged.

The Parliamentary Under-Secretary of State, Ministry of Justice (Lord Ponsonby of Shulbrede) (Lab)

- View Speech - Hansard -

Copy Link

- - Excerpts

I thank both the noble and learned Lord and the noble Lord for their questions. I will endeavour to answer them as fully as I can. I say at the outset that I share their sense of concern about this breach. It is undoubtedly very serious—one of the more serious ones that have happened to Governments in recent years. I agree, of course, with the point that the noble and learned Lord made, that the primary responsibility is with the criminals who themselves undertook this hacking of the LAF systems.

I want to check and correct one point made by the noble and learned Lord, Lord Keen. He spoke about medical records. As far as we are aware, there are no medical records contained within this system. There is other information available, which is, of course, a great cause for concern, but there are no medical records that we are aware of.

The noble and learned Lord asked when Ministers were first made aware of this breach. The departmental staff stood up an immediate operational response upon being made aware and ministerial colleagues and I have been updated throughout. There is a cross-departmental response under way. But it is fair to say that the seriousness of the breach became evident only some time after we were made aware of the initial breach. It was when the situation worsened that it was decided to put the information in the public domain and report the incident to Parliament.

Noble Lords asked how many people have been affected. We have not put forward a number as such. However, they are right to say that we are talking about all the data going back to 2010. That is many thousands of people. The nature of the data is, indeed, personal and people need to take remedial action if they have had interactions with the Legal Aid Agency to make sure that their data is not compromised. So, if people try to contact them on numbers they do not recognise and so forth, they need to be suspicious and careful.

Another central question was about what the Government are advising people to do if they think they may be victims of this theft of data. The primary port of contact will be the providers themselves—the lawyers and barristers who have been using the Legal Aid Agency. They will be in a better position to advise the people who may be victims. However, if we are made aware of individual people who are particularly vulnerable, the MoJ or the Legal Aid Agency will also endeavour to contact them directly. But the primary source of information will be from the providers themselves.

The noble and learned Lord asked me to comment on the nature of the attack. I cannot do that because there is a criminal investigation under way. I will not comment or speculate on the motive either.

Both noble Lords asked about the current operational system. The current system is offline. We hope to get it online as soon as possible, but I am not in a position to give any commitment on that front. I can say that there are systems in place to ensure that the providers themselves will get paid, so that they can continue to work, but it will be a reduced method of payment. I do not mean that the amount of money is less but there will be less systemisation within the payment, if I may put it like that. Nevertheless, the payments will be made in the immediate future.

I reassure noble Lords that all the various government agencies have been informed about this. There is an ongoing risk assessment and there will be an update to Parliament when appropriate.

I can also tell the noble and learned Lord that the devolved Administrations in Northern Ireland and Scotland have been informed and are well aware of this. Although, as he rightly observed, they have stand-alone systems, there is overlap between the two systems. So, although their own systems will not be affected by this, it may be that they will have more restricted access to data from the Legal Aid Agency, which covers England and Wales.

The noble Lord, Lord Marks, asked about a full independent inquiry. I cannot make that commitment, but I can absolutely say that this is being taken extremely seriously across government. There has been a review of systems in other parts of government and, as far as we know, there are no similar hacking attacks in other parts of government, although of course one should not be complacent about these things. I am absolutely sure that these reviews of the other systems will be ongoing, just to check that no future hacks become apparent.

I do not think it is fair for the noble Lord, Lord Marks, to say that there was a degree of complacency in the statement that we believe the breach is contained; that is an honestly held belief. The many professionals involved in containing this particular breach, but also looking across government, are very acutely aware of how systems need to be updated and kept under review, and there needs to be investment. The noble Lord mentioned the sum of money the Government are going to invest, but it is worth repeating the point made by my honourable friend Sarah Sackman that this breach came to light only because of the extra money we are currently putting into the system. It would not have come to light without that additional investment. But, of course, we want to go further, and we need to go further to make sure that the systems are updated as far as possible.

I do not want to make the obvious political points about the legacy systems. I think we all understand the position we are in. Nevertheless, this is a serious matter, we are not at the end of the road yet and I absolutely undertake that we will keep Parliament informed as the situation develops.