Asked by: Marie Rimmer (Labour - St Helens South and Whiston)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, after the April 2025 data breach of the Legal Advice Agency, what specific steps have been taken, and what further measures are planned, to ensure that a similar security breach does not occur again.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
We take the security of people’s personal data extremely seriously.
Firstly, to ensure transparency about the cyber- attack and that we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice shortly after it became aware of the criminal cyber-attack at 08:15 on 19 May on GOV.UK
The notice provided information about the cyber-attack and directed concerned members of the public to the National Cyber Security Centre’s webpage, which contained information on how to protect against the impact of a data breach.
The Legal Aid Agency (LAA) also set up dedicated Customer Services support via a telephone line and email for providers and clients who had concerns regarding the data breach. We did not write to all clients, to all the addresses that we had, because some of those addresses would no longer be current, and that would potentially create another data breach in itself.
The published statement referred to above sets out information about who may have been impacted and the nature of the information which may have been accessed. As far as we are aware, no data has been shared or put out in the public domain. An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
In the interests of security, we cannot confirm the method by which unauthorised access was gained to the LAA’s online digital systems or details about specific steps taken or measures implemented to protect LAA systems against any future cyber-attacks.
Security of the new systems has been paramount as we have rebuilt the LAA’s digital systems following the attack. The compromised digital portal has been replaced by a new, secure single sign-in tool for LAA online services (SiLAS). SiLAS has been designed and built in line with UK government and industry best practice for secure development. Security has been included from the ground up, including multi factor authentication, with independent testing activities to validate that the appropriate security controls are in place.
A dedicated team will monitor and update the service to ensure it evolves to remain resilient to emerging threats and is supported by a security operations capability. While no system can be entirely risk free, we are confident that we have taken the right steps to protect the service and its users.
Responsibility for disaster recovery planning for digital systems lies with Justice Digital rather than the LAA. Prior to the cyber- attack there was no digital disaster recovery plan in place. However, had we had a fully funded disaster recovery system, any immediate restoration would have simply restored the systems without resolving the vulnerabilities that enabled the cyber- attack to occur. Justice Digital now have a new Service Owner structure in place where clear Service Standards will be defined and monitored. This will include digital disaster recovery plans for each digital product.
Prior to the cyber- attack the LAA had in place prepared business continuity plans for business-critical processes and services to ensure that access to justice could be maintained in the event of a system outage. These plans were tried and tested, and we were confident that the measures would be effective for our initial response. These measures gave us sufficient time to design and implement longer term measures to meet the specific needs of the incident that were introduced in June 2025.
At every stage, we have acted to protect public access to justice and to support providers in delivering legal aid. We have achieved this without affecting court backlogs or police station activity.
Our business continuity planning was effective in maintaining access to justice from the outset of the attack and the need to have longer term options in place is one of the lessons that we have taken from this incident.
A formal lessons learned approach will systematically analyse lessons from the Ministry of Justice’s and LAA’s preparation for and response to the cyber-attack. This work will cover pre-incident risk management and the response to the incident itself. This will inform future resilience planning, governance improvement and risk mitigation strategies across the Ministry of Justice and its agencies.
Asked by: Marie Rimmer (Labour - St Helens South and Whiston)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, with reference to the the Legal Advice Agency data breach in April 2025, whether his Department and the LAA had a prepared disaster recovery plan prior to the breach.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
We take the security of people’s personal data extremely seriously.
Firstly, to ensure transparency about the cyber- attack and that we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice shortly after it became aware of the criminal cyber-attack at 08:15 on 19 May on GOV.UK
The notice provided information about the cyber-attack and directed concerned members of the public to the National Cyber Security Centre’s webpage, which contained information on how to protect against the impact of a data breach.
The Legal Aid Agency (LAA) also set up dedicated Customer Services support via a telephone line and email for providers and clients who had concerns regarding the data breach. We did not write to all clients, to all the addresses that we had, because some of those addresses would no longer be current, and that would potentially create another data breach in itself.
The published statement referred to above sets out information about who may have been impacted and the nature of the information which may have been accessed. As far as we are aware, no data has been shared or put out in the public domain. An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
In the interests of security, we cannot confirm the method by which unauthorised access was gained to the LAA’s online digital systems or details about specific steps taken or measures implemented to protect LAA systems against any future cyber-attacks.
Security of the new systems has been paramount as we have rebuilt the LAA’s digital systems following the attack. The compromised digital portal has been replaced by a new, secure single sign-in tool for LAA online services (SiLAS). SiLAS has been designed and built in line with UK government and industry best practice for secure development. Security has been included from the ground up, including multi factor authentication, with independent testing activities to validate that the appropriate security controls are in place.
A dedicated team will monitor and update the service to ensure it evolves to remain resilient to emerging threats and is supported by a security operations capability. While no system can be entirely risk free, we are confident that we have taken the right steps to protect the service and its users.
Responsibility for disaster recovery planning for digital systems lies with Justice Digital rather than the LAA. Prior to the cyber- attack there was no digital disaster recovery plan in place. However, had we had a fully funded disaster recovery system, any immediate restoration would have simply restored the systems without resolving the vulnerabilities that enabled the cyber- attack to occur. Justice Digital now have a new Service Owner structure in place where clear Service Standards will be defined and monitored. This will include digital disaster recovery plans for each digital product.
Prior to the cyber- attack the LAA had in place prepared business continuity plans for business-critical processes and services to ensure that access to justice could be maintained in the event of a system outage. These plans were tried and tested, and we were confident that the measures would be effective for our initial response. These measures gave us sufficient time to design and implement longer term measures to meet the specific needs of the incident that were introduced in June 2025.
At every stage, we have acted to protect public access to justice and to support providers in delivering legal aid. We have achieved this without affecting court backlogs or police station activity.
Our business continuity planning was effective in maintaining access to justice from the outset of the attack and the need to have longer term options in place is one of the lessons that we have taken from this incident.
A formal lessons learned approach will systematically analyse lessons from the Ministry of Justice’s and LAA’s preparation for and response to the cyber-attack. This work will cover pre-incident risk management and the response to the incident itself. This will inform future resilience planning, governance improvement and risk mitigation strategies across the Ministry of Justice and its agencies.
Asked by: Marie Rimmer (Labour - St Helens South and Whiston)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what assessment he has made of the adequacy of disaster recovery planning at the Legal Aid Agency prior to the cyber-attack of April 2025.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
We take the security of people’s personal data extremely seriously.
Firstly, to ensure transparency about the cyber- attack and that we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice shortly after it became aware of the criminal cyber-attack at 08:15 on 19 May on GOV.UK
The notice provided information about the cyber-attack and directed concerned members of the public to the National Cyber Security Centre’s webpage, which contained information on how to protect against the impact of a data breach.
The Legal Aid Agency (LAA) also set up dedicated Customer Services support via a telephone line and email for providers and clients who had concerns regarding the data breach. We did not write to all clients, to all the addresses that we had, because some of those addresses would no longer be current, and that would potentially create another data breach in itself.
The published statement referred to above sets out information about who may have been impacted and the nature of the information which may have been accessed. As far as we are aware, no data has been shared or put out in the public domain. An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
In the interests of security, we cannot confirm the method by which unauthorised access was gained to the LAA’s online digital systems or details about specific steps taken or measures implemented to protect LAA systems against any future cyber-attacks.
Security of the new systems has been paramount as we have rebuilt the LAA’s digital systems following the attack. The compromised digital portal has been replaced by a new, secure single sign-in tool for LAA online services (SiLAS). SiLAS has been designed and built in line with UK government and industry best practice for secure development. Security has been included from the ground up, including multi factor authentication, with independent testing activities to validate that the appropriate security controls are in place.
A dedicated team will monitor and update the service to ensure it evolves to remain resilient to emerging threats and is supported by a security operations capability. While no system can be entirely risk free, we are confident that we have taken the right steps to protect the service and its users.
Responsibility for disaster recovery planning for digital systems lies with Justice Digital rather than the LAA. Prior to the cyber- attack there was no digital disaster recovery plan in place. However, had we had a fully funded disaster recovery system, any immediate restoration would have simply restored the systems without resolving the vulnerabilities that enabled the cyber- attack to occur. Justice Digital now have a new Service Owner structure in place where clear Service Standards will be defined and monitored. This will include digital disaster recovery plans for each digital product.
Prior to the cyber- attack the LAA had in place prepared business continuity plans for business-critical processes and services to ensure that access to justice could be maintained in the event of a system outage. These plans were tried and tested, and we were confident that the measures would be effective for our initial response. These measures gave us sufficient time to design and implement longer term measures to meet the specific needs of the incident that were introduced in June 2025.
At every stage, we have acted to protect public access to justice and to support providers in delivering legal aid. We have achieved this without affecting court backlogs or police station activity.
Our business continuity planning was effective in maintaining access to justice from the outset of the attack and the need to have longer term options in place is one of the lessons that we have taken from this incident.
A formal lessons learned approach will systematically analyse lessons from the Ministry of Justice’s and LAA’s preparation for and response to the cyber-attack. This work will cover pre-incident risk management and the response to the incident itself. This will inform future resilience planning, governance improvement and risk mitigation strategies across the Ministry of Justice and its agencies.
Asked by: Marie Rimmer (Labour - St Helens South and Whiston)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what is the determined method by which unauthorised access was gained to the Legal Aid Agency's online digital systems during the April 2025 data breach.
Answered by Sarah Sackman - Minister of State (Ministry of Justice)
We take the security of people’s personal data extremely seriously.
Firstly, to ensure transparency about the cyber- attack and that we reached as many potentially impacted individuals as possible, the Ministry of Justice published a notice shortly after it became aware of the criminal cyber-attack at 08:15 on 19 May on GOV.UK
The notice provided information about the cyber-attack and directed concerned members of the public to the National Cyber Security Centre’s webpage, which contained information on how to protect against the impact of a data breach.
The Legal Aid Agency (LAA) also set up dedicated Customer Services support via a telephone line and email for providers and clients who had concerns regarding the data breach. We did not write to all clients, to all the addresses that we had, because some of those addresses would no longer be current, and that would potentially create another data breach in itself.
The published statement referred to above sets out information about who may have been impacted and the nature of the information which may have been accessed. As far as we are aware, no data has been shared or put out in the public domain. An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
In the interests of security, we cannot confirm the method by which unauthorised access was gained to the LAA’s online digital systems or details about specific steps taken or measures implemented to protect LAA systems against any future cyber-attacks.
Security of the new systems has been paramount as we have rebuilt the LAA’s digital systems following the attack. The compromised digital portal has been replaced by a new, secure single sign-in tool for LAA online services (SiLAS). SiLAS has been designed and built in line with UK government and industry best practice for secure development. Security has been included from the ground up, including multi factor authentication, with independent testing activities to validate that the appropriate security controls are in place.
A dedicated team will monitor and update the service to ensure it evolves to remain resilient to emerging threats and is supported by a security operations capability. While no system can be entirely risk free, we are confident that we have taken the right steps to protect the service and its users.
Responsibility for disaster recovery planning for digital systems lies with Justice Digital rather than the LAA. Prior to the cyber- attack there was no digital disaster recovery plan in place. However, had we had a fully funded disaster recovery system, any immediate restoration would have simply restored the systems without resolving the vulnerabilities that enabled the cyber- attack to occur. Justice Digital now have a new Service Owner structure in place where clear Service Standards will be defined and monitored. This will include digital disaster recovery plans for each digital product.
Prior to the cyber- attack the LAA had in place prepared business continuity plans for business-critical processes and services to ensure that access to justice could be maintained in the event of a system outage. These plans were tried and tested, and we were confident that the measures would be effective for our initial response. These measures gave us sufficient time to design and implement longer term measures to meet the specific needs of the incident that were introduced in June 2025.
At every stage, we have acted to protect public access to justice and to support providers in delivering legal aid. We have achieved this without affecting court backlogs or police station activity.
Our business continuity planning was effective in maintaining access to justice from the outset of the attack and the need to have longer term options in place is one of the lessons that we have taken from this incident.
A formal lessons learned approach will systematically analyse lessons from the Ministry of Justice’s and LAA’s preparation for and response to the cyber-attack. This work will cover pre-incident risk management and the response to the incident itself. This will inform future resilience planning, governance improvement and risk mitigation strategies across the Ministry of Justice and its agencies.
Asked by: James McMurdock (Independent - South Basildon and East Thurrock)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, pursuant to Answer of 9th December 2025 to Question 96041, on Reoffenders: Sentencing, what assessment he has made of how frequently courts depart from sentencing guidelines on the basis that it is in the interest of justice to do so.
Answered by Jake Richards - Assistant Whip
All sentencing courts in England and Wales must follow any sentencing guidelines which are relevant to the offender’s case, unless it is in the interests of justice not to do so (by virtue of section 59 of the Sentencing Code).
Whilst there is a high bar for departing from the guidelines, it is necessary, in the interests of justice, that courts retain the discretion to do so, where the individual case and circumstances warrant it. If a court departs from the guidelines, it must give reasons for doing so.
As mentioned in my previous response, the Sentencing Council has a statutory duty to monitor and evaluate all definitive guidelines to assess their impact on sentencing outcomes and ensure they operate as intended. Analysis conducted by the Council between 2010 and 2015 demonstrated that the vast majority of sentences imposed for offences for which there were offence-specific guidelines were within the sentence range set out in the guidelines. The findings are presented in the Council’s annual reports for 2010/11 through 2014/15 which are available on its website. As part of its ongoing monitoring of the use of guidelines, the Council conducts quantitative and qualitative research to determine how the guidelines are being used and the effect they are having on sentencing practice. These evaluations will highlight any issues if departures from guidelines are commonplace for a particular offence(s) or aspect of sentencing.
Asked by: James McMurdock (Independent - South Basildon and East Thurrock)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what assessment he has made of whether the discretion for courts to depart from sentencing guidelines in the interests of justice affects the (a) consistency and (b) effectiveness of sentencing outcomes.
Answered by Jake Richards - Assistant Whip
All sentencing courts in England and Wales must follow any sentencing guidelines which are relevant to the offender’s case, unless it is in the interests of justice not to do so (by virtue of section 59 of the Sentencing Code).
Whilst there is a high bar for departing from the guidelines, it is necessary, in the interests of justice, that courts retain the discretion to do so, where the individual case and circumstances warrant it. If a court departs from the guidelines, it must give reasons for doing so.
As mentioned in my previous response, the Sentencing Council has a statutory duty to monitor and evaluate all definitive guidelines to assess their impact on sentencing outcomes and ensure they operate as intended. Analysis conducted by the Council between 2010 and 2015 demonstrated that the vast majority of sentences imposed for offences for which there were offence-specific guidelines were within the sentence range set out in the guidelines. The findings are presented in the Council’s annual reports for 2010/11 through 2014/15 which are available on its website. As part of its ongoing monitoring of the use of guidelines, the Council conducts quantitative and qualitative research to determine how the guidelines are being used and the effect they are having on sentencing practice. These evaluations will highlight any issues if departures from guidelines are commonplace for a particular offence(s) or aspect of sentencing.
Asked by: Pam Cox (Labour - Colchester)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, how many and what proportion of prisoners have been released with a resettlement passport in each month since their introduction.
Answered by Jake Richards - Assistant Whip
The Government is committed to ensuring individuals have plans in place before release, identifying needs early, and linking people to the right support, such as housing, employment, and health services, to help reduce reoffending. No prisoners have left with a resettlement passport as formal introduction of a digital tool is yet to take place. However, development work has marked important progress in testing approaches to improve pre-release planning across the estate.
This testing, carried out in ten prisons and four probation regions, has gathered valuable insight and learning throughout, including a comprehensive understanding of current practice and identification of gaps and opportunities in service delivery. It has also provided insight relevant to ARNS (Assess, Risks, Needs and Strengths), supporting its development as part of HMPPS’s wider digital transformation strategy. ARNS is designed to modernise offender assessments by moving towards a more dynamic, collaborative, and strength-based approach to resettlement planning, offender management, and risk assessment.
These findings will feed into work to improve the operational processes to support preparation for release, to support delivery of recommendations from the Independent Review of Sentencing.
Asked by: Pam Cox (Labour - Colchester)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what progress has been made to introduce resettlement passports for prison leavers.
Answered by Jake Richards - Assistant Whip
The Government is committed to ensuring individuals have plans in place before release, identifying needs early, and linking people to the right support, such as housing, employment, and health services, to help reduce reoffending. No prisoners have left with a resettlement passport as formal introduction of a digital tool is yet to take place. However, development work has marked important progress in testing approaches to improve pre-release planning across the estate.
This testing, carried out in ten prisons and four probation regions, has gathered valuable insight and learning throughout, including a comprehensive understanding of current practice and identification of gaps and opportunities in service delivery. It has also provided insight relevant to ARNS (Assess, Risks, Needs and Strengths), supporting its development as part of HMPPS’s wider digital transformation strategy. ARNS is designed to modernise offender assessments by moving towards a more dynamic, collaborative, and strength-based approach to resettlement planning, offender management, and risk assessment.
These findings will feed into work to improve the operational processes to support preparation for release, to support delivery of recommendations from the Independent Review of Sentencing.
Asked by: John Hayes (Conservative - South Holland and The Deepings)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, how many full-time equivalent staff in his Department have been employed for the purpose of making social media content in each of the past three years.
Answered by Jake Richards - Assistant Whip
Due to the difficulty of disaggregating the number of staff who are employed to produce social media content from staff who are employed to work on a broader digital communications, it is not possible to report exact figures in response to this question.
Asked by: James McMurdock (Independent - South Basildon and East Thurrock)
Question to the Ministry of Justice:
To ask the Secretary of State for Justice, what data he holds on the reoffending rates of individuals convicted of offences relating to illegal entry into the UK.
Answered by Jake Richards - Assistant Whip
Providing this would incur disproportionate costs.
More broadly the Government is tackling the root causes of reoffending by investing in a range of services which address offenders’ underlying criminogenic needs and support their rehabilitation journey. This includes education, employment, accommodation and access to substance misuse treatment.