Large-scale breach affects applicants dating back to 2010
The UK Ministry of Justice (MoJ) has confirmed that a cyberattack targeting the Legal Aid Agency has exposed extensive personal data of individuals who applied for legal aid. The breach, first detected on April 23, is now understood to be far more serious than initially reported.
On Friday, the agency acknowledged that the threat actors had accessed and downloaded sensitive applicant information dating back to 2010. The breach has forced the agency to temporarily suspend its online services.
Compromised data includes criminal records and financial information
In a public statement, the agency said:
“We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010.”
The compromised data reportedly includes:
- Names and contact information
- Home addresses
- Dates of birth
- National identification numbers
- Criminal history records
- Employment status
- Financial details, including contribution amounts, debts, and payments
This combination of personal and financial information significantly increases the risk of identity theft and impersonation scams.
Risk of phishing and identity fraud prompts urgent warning
The agency has warned that the stolen data may be used by attackers to impersonate Legal Aid Agency officials in phishing campaigns aimed at collecting even more sensitive information.
Applicants since 2010 are advised to:
- Watch for suspicious texts, emails, or calls
- Change passwords immediately
- Verify the identity of anyone requesting information before responding
Legal Aid Agency CEO addresses the breach
Jane Harbottle, Chief Executive of the Legal Aid Agency, issued an apology to those affected:
“Since the discovery of the attack, my team has been working around the clock with the National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency.”
She added:
“However, it has become clear that to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down.”
Contingency measures have been implemented to ensure individuals continue to receive legal support despite the suspension of digital services.
Ministry of Justice’s cybersecurity history under scrutiny
The incident adds to a concerning pattern of cybersecurity lapses at the Ministry of Justice. A 2020 report revealed 17 major data breaches in the previous year alone, affecting over 120,000 individuals, including staff.
