Asked by: James McMurdock (Independent - South Basildon and East Thurrock)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what assessment she has made of the adequacy of One Login’s compliance with a) Secure by Design and b) the Cyber Assessment Framework.
Answered by Ian Murray - Minister of State (Department for Science, Innovation and Technology)
GOV.UK One Login is engaging appropriately with the Secure by Design (SbD) assessment process, and SbD principles are already embedded into the service.
GOV.UK One Login was assessed using GovAssure in 2024, the cyber security scheme for assessing government critical systems using the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) as part of the Government Cyber Security Strategy 2022-2030. GovAssure has multiple phases, which includes an assurance review by an independent assessor. The GOV.UK One Login programme works closely with NCSC to align with the requirements of the CAF.
Asked by: James McMurdock (Independent - South Basildon and East Thurrock)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what estimate his Department has made of the number of cyber attacks there have been on infrastructure in the last three years.
Answered by Dan Jarvis - Minister of State (Cabinet Office)
Cyber attacks against the UK are increasing in scale and impact. The National Cyber Security Centre (NCSC) categorises cyber incidents that have a substantial impact on the national security, the economy, or critical infrastructure as ‘nationally significant incidents’. In the 12 months to August 2023, 62 nationally significant incidents were recorded. This increased to 89 in 2024, and further rose to 204 in 2025. NCSC’s Annual Review provides further information on cyber incidents and trends.
On improving the cyber security of national infrastructure, I refer to my answer for UIN 906730, debated on 4 December 2025. The Government is committed to strengthening cyber security across the UK. The recently introduced Cyber Security and Resilience Bill will strengthen the UK’s cyber defences and ensure that critical infrastructure and the digital services on which companies rely are secure.
Asked by: James McMurdock (Independent - South Basildon and East Thurrock)
Question to the HM Treasury:
To ask the Chancellor of the Exchequer, what estimate she has made of the cost of cyber attacks on UK-based businesses in the last 12 months.
Answered by Lucy Rigby - Economic Secretary (HM Treasury)
An increasingly hostile cyber threat poses a risk to the UK economy and public finances. According to the Office for National Statistics, the decline in the manufacture of motor vehicles, observed in the wake of the cyber attack on Jaguar Land Rover, reduced September’s GDP by 0.17%. In the 2022 Fiscal Risks and Sustainability report, the Office for Budget Responsibility estimated that a cyber-attack on critical national infrastructure could temporarily increase borrowing by around £30 billion – equivalent to 1.1% of GDP.
Cyber-attacks have significant costs for UK businesses. Recent KPMG modelling for the Department for Science, Innovation and Technology suggests the average cost of a significant cyber-attack for an individual business in the UK is around £194,729. KPMG estimate this could represent a total yearly cost to businesses in the UK of £14.7 billion, representing 0.5% of the UK’s annual GDP.
The government is committed to strengthening cyber security across the UK. The National Cyber Security Centre (NCSC) provides a range of tools, guidance and support to businesses to improve their cyber security. At last year's Spending Review, the government increased the Single Intelligence Account's budget by £1 billion over the SR period, which funds the critical cybersecurity work conducted by NCSC.
The UK’s cyber resilience relies on all businesses playing their part. The Chancellor of the Exchequer; Secretary of State for Science, Innovation and Technology; Secretary of State for Business and Trade; Minister for Security; CEO of the National Cyber Security Centre and Director General of the National Crime Agency wrote to chief executives and chairs of FTSE 350 companies in October 2025 year asking them to make cyber security a top priority.
Asked by: James McMurdock (Independent - South Basildon and East Thurrock)
Question to the HM Treasury:
To ask the Chancellor of the Exchequer, what recent estimate her Department has made of the cost of cyber attacks to the economy.
Answered by Lucy Rigby - Economic Secretary (HM Treasury)
An increasingly hostile cyber threat poses a risk to the UK economy and public finances. According to the Office for National Statistics, the decline in the manufacture of motor vehicles, observed in the wake of the cyber attack on Jaguar Land Rover, reduced September’s GDP by 0.17%. In the 2022 Fiscal Risks and Sustainability report, the Office for Budget Responsibility estimated that a cyber-attack on critical national infrastructure could temporarily increase borrowing by around £30 billion – equivalent to 1.1% of GDP.
Cyber-attacks have significant costs for UK businesses. Recent KPMG modelling for the Department for Science, Innovation and Technology suggests the average cost of a significant cyber-attack for an individual business in the UK is around £194,729. KPMG estimate this could represent a total yearly cost to businesses in the UK of £14.7 billion, representing 0.5% of the UK’s annual GDP.
The government is committed to strengthening cyber security across the UK. The National Cyber Security Centre (NCSC) provides a range of tools, guidance and support to businesses to improve their cyber security. At last year's Spending Review, the government increased the Single Intelligence Account's budget by £1 billion over the SR period, which funds the critical cybersecurity work conducted by NCSC.
The UK’s cyber resilience relies on all businesses playing their part. The Chancellor of the Exchequer; Secretary of State for Science, Innovation and Technology; Secretary of State for Business and Trade; Minister for Security; CEO of the National Cyber Security Centre and Director General of the National Crime Agency wrote to chief executives and chairs of FTSE 350 companies in October 2025 year asking them to make cyber security a top priority.
Asked by: David Reed (Conservative - Exmouth and Exeter East)
Question to the Department for Energy Security & Net Zero:
To ask the Secretary of State for Energy Security and Net Zero, what assessment his Department has made on the potential security impacts of cyber attacks on the energy system.
Answered by Michael Shanks - Minister of State (Department for Energy Security and Net Zero)
The Department takes the security and resilience of UK energy infrastructure extremely seriously, including the cyber security of critical infrastructure. Maintaining a secure and reliable energy supply is a key priority.
The Department works closely with partners, including industry, to assess potential risks from cyber threats and their possible impacts on the availability and integrity of energy systems.
These risks are reflected in the National Risk Register, which includes three cyber-related risks owned by the Department. In partnership with the National Cyber Security Centre, the Department ensures threats are understood and appropriate mitigations implemented to maintain robust protections and resilience.
Asked by: David Reed (Conservative - Exmouth and Exeter East)
Question to the Department for Energy Security & Net Zero:
To ask the Secretary of State for Energy Security and Net Zero, whether his Department will require a cyber incident database with compulsory fixes to be created for attacks on the energy system.
Answered by Michael Shanks - Minister of State (Department for Energy Security and Net Zero)
The Department for Energy Security and Net Zero takes the security and resilience of UK energy infrastructure extremely seriously, including the cyber security of critical infrastructure. Maintaining a secure and reliable energy supply is a key priority. The Network and Information Systems (NIS) Regulations, impose strict incident-reporting obligations on critical energy operators.
The Government has recently introduced the Cyber Security and Resilience (Network and Information Systems) Bill. The Bill proposes expanding incident-reporting requirements, broadening the scope of reportable events, and enhancing the powers of regulators to oversee compliance and require remedial actions where necessary.
Asked by: Marie Rimmer (Labour - St Helens South and Whiston)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, regarding the cyber attack in April 2025 on the Legal Aid Agency (LAA), other than the information on the LAA’s website, what steps have been taken to notify legal aid applicants that their confidential data has been accessed.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
We take the security of people’s personal data extremely seriously.
Firstly, to ensure transparency about the cyber- attack and that we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice shortly after it became aware of the criminal cyber-attack at 08:15 on 19 May on GOV.UK
The notice provided information about the cyber-attack and directed concerned members of the public to the National Cyber Security Centre’s webpage, which contained information on how to protect against the impact of a data breach.
The Legal Aid Agency (LAA) also set up dedicated Customer Services support via a telephone line and email for providers and clients who had concerns regarding the data breach. We did not write to all clients, to all the addresses that we had, because some of those addresses would no longer be current, and that would potentially create another data breach in itself.
The published statement referred to above sets out information about who may have been impacted and the nature of the information which may have been accessed. As far as we are aware, no data has been shared or put out in the public domain. An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
In the interests of security, we cannot confirm the method by which unauthorised access was gained to the LAA’s online digital systems or details about specific steps taken or measures implemented to protect LAA systems against any future cyber-attacks.
Security of the new systems has been paramount as we have rebuilt the LAA’s digital systems following the attack. The compromised digital portal has been replaced by a new, secure single sign-in tool for LAA online services (SiLAS). SiLAS has been designed and built in line with UK government and industry best practice for secure development. Security has been included from the ground up, including multi factor authentication, with independent testing activities to validate that the appropriate security controls are in place.
A dedicated team will monitor and update the service to ensure it evolves to remain resilient to emerging threats and is supported by a security operations capability. While no system can be entirely risk free, we are confident that we have taken the right steps to protect the service and its users.
Responsibility for disaster recovery planning for digital systems lies with Justice Digital rather than the LAA. Prior to the cyber- attack there was no digital disaster recovery plan in place. However, had we had a fully funded disaster recovery system, any immediate restoration would have simply restored the systems without resolving the vulnerabilities that enabled the cyber- attack to occur. Justice Digital now have a new Service Owner structure in place where clear Service Standards will be defined and monitored. This will include digital disaster recovery plans for each digital product.
Prior to the cyber- attack the LAA had in place prepared business continuity plans for business-critical processes and services to ensure that access to justice could be maintained in the event of a system outage. These plans were tried and tested, and we were confident that the measures would be effective for our initial response. These measures gave us sufficient time to design and implement longer term measures to meet the specific needs of the incident that were introduced in June 2025.
At every stage, we have acted to protect public access to justice and to support providers in delivering legal aid. We have achieved this without affecting court backlogs or police station activity.
Our business continuity planning was effective in maintaining access to justice from the outset of the attack and the need to have longer term options in place is one of the lessons that we have taken from this incident.
A formal lessons learned approach will systematically analyse lessons from the Ministry of Justice’s and LAA’s preparation for and response to the cyber-attack. This work will cover pre-incident risk management and the response to the incident itself. This will inform future resilience planning, governance improvement and risk mitigation strategies across the Ministry of Justice and its agencies.
Asked by: Marie Rimmer (Labour - St Helens South and Whiston)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what is the determined method by which unauthorised access was gained to the Legal Aid Agency's online digital systems during the April 2025 data breach.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
We take the security of people’s personal data extremely seriously.
Firstly, to ensure transparency about the cyber- attack and that we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice shortly after it became aware of the criminal cyber-attack at 08:15 on 19 May on GOV.UK
The notice provided information about the cyber-attack and directed concerned members of the public to the National Cyber Security Centre’s webpage, which contained information on how to protect against the impact of a data breach.
The Legal Aid Agency (LAA) also set up dedicated Customer Services support via a telephone line and email for providers and clients who had concerns regarding the data breach. We did not write to all clients, to all the addresses that we had, because some of those addresses would no longer be current, and that would potentially create another data breach in itself.
The published statement referred to above sets out information about who may have been impacted and the nature of the information which may have been accessed. As far as we are aware, no data has been shared or put out in the public domain. An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
In the interests of security, we cannot confirm the method by which unauthorised access was gained to the LAA’s online digital systems or details about specific steps taken or measures implemented to protect LAA systems against any future cyber-attacks.
Security of the new systems has been paramount as we have rebuilt the LAA’s digital systems following the attack. The compromised digital portal has been replaced by a new, secure single sign-in tool for LAA online services (SiLAS). SiLAS has been designed and built in line with UK government and industry best practice for secure development. Security has been included from the ground up, including multi factor authentication, with independent testing activities to validate that the appropriate security controls are in place.
A dedicated team will monitor and update the service to ensure it evolves to remain resilient to emerging threats and is supported by a security operations capability. While no system can be entirely risk free, we are confident that we have taken the right steps to protect the service and its users.
Responsibility for disaster recovery planning for digital systems lies with Justice Digital rather than the LAA. Prior to the cyber- attack there was no digital disaster recovery plan in place. However, had we had a fully funded disaster recovery system, any immediate restoration would have simply restored the systems without resolving the vulnerabilities that enabled the cyber- attack to occur. Justice Digital now have a new Service Owner structure in place where clear Service Standards will be defined and monitored. This will include digital disaster recovery plans for each digital product.
Prior to the cyber- attack the LAA had in place prepared business continuity plans for business-critical processes and services to ensure that access to justice could be maintained in the event of a system outage. These plans were tried and tested, and we were confident that the measures would be effective for our initial response. These measures gave us sufficient time to design and implement longer term measures to meet the specific needs of the incident that were introduced in June 2025.
At every stage, we have acted to protect public access to justice and to support providers in delivering legal aid. We have achieved this without affecting court backlogs or police station activity.
Our business continuity planning was effective in maintaining access to justice from the outset of the attack and the need to have longer term options in place is one of the lessons that we have taken from this incident.
A formal lessons learned approach will systematically analyse lessons from the Ministry of Justice’s and LAA’s preparation for and response to the cyber-attack. This work will cover pre-incident risk management and the response to the incident itself. This will inform future resilience planning, governance improvement and risk mitigation strategies across the Ministry of Justice and its agencies.
Asked by: Marie Rimmer (Labour - St Helens South and Whiston)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what types of personal and sensitive data were compromised in the April 2025 cyber attack on the Legal Aid Agency (LAA) including whether the breach included information on vulnerable individuals such as victims of domestic abuse and asylum seekers.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
We take the security of people’s personal data extremely seriously.
Firstly, to ensure transparency about the cyber- attack and that we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice shortly after it became aware of the criminal cyber-attack at 08:15 on 19 May on GOV.UK
The notice provided information about the cyber-attack and directed concerned members of the public to the National Cyber Security Centre’s webpage, which contained information on how to protect against the impact of a data breach.
The Legal Aid Agency (LAA) also set up dedicated Customer Services support via a telephone line and email for providers and clients who had concerns regarding the data breach. We did not write to all clients, to all the addresses that we had, because some of those addresses would no longer be current, and that would potentially create another data breach in itself.
The published statement referred to above sets out information about who may have been impacted and the nature of the information which may have been accessed. As far as we are aware, no data has been shared or put out in the public domain. An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
In the interests of security, we cannot confirm the method by which unauthorised access was gained to the LAA’s online digital systems or details about specific steps taken or measures implemented to protect LAA systems against any future cyber-attacks.
Security of the new systems has been paramount as we have rebuilt the LAA’s digital systems following the attack. The compromised digital portal has been replaced by a new, secure single sign-in tool for LAA online services (SiLAS). SiLAS has been designed and built in line with UK government and industry best practice for secure development. Security has been included from the ground up, including multi factor authentication, with independent testing activities to validate that the appropriate security controls are in place.
A dedicated team will monitor and update the service to ensure it evolves to remain resilient to emerging threats and is supported by a security operations capability. While no system can be entirely risk free, we are confident that we have taken the right steps to protect the service and its users.
Responsibility for disaster recovery planning for digital systems lies with Justice Digital rather than the LAA. Prior to the cyber- attack there was no digital disaster recovery plan in place. However, had we had a fully funded disaster recovery system, any immediate restoration would have simply restored the systems without resolving the vulnerabilities that enabled the cyber- attack to occur. Justice Digital now have a new Service Owner structure in place where clear Service Standards will be defined and monitored. This will include digital disaster recovery plans for each digital product.
Prior to the cyber- attack the LAA had in place prepared business continuity plans for business-critical processes and services to ensure that access to justice could be maintained in the event of a system outage. These plans were tried and tested, and we were confident that the measures would be effective for our initial response. These measures gave us sufficient time to design and implement longer term measures to meet the specific needs of the incident that were introduced in June 2025.
At every stage, we have acted to protect public access to justice and to support providers in delivering legal aid. We have achieved this without affecting court backlogs or police station activity.
Our business continuity planning was effective in maintaining access to justice from the outset of the attack and the need to have longer term options in place is one of the lessons that we have taken from this incident.
A formal lessons learned approach will systematically analyse lessons from the Ministry of Justice’s and LAA’s preparation for and response to the cyber-attack. This work will cover pre-incident risk management and the response to the incident itself. This will inform future resilience planning, governance improvement and risk mitigation strategies across the Ministry of Justice and its agencies.
Asked by: Marie Rimmer (Labour - St Helens South and Whiston)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, if he will take steps to compensate legal aid providers for disruption caused by the cyberattack on the Legal Aid Agency in April 2025.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
I refer the honourable Member to the answer I gave on 10 November to Question 87407.