The government has promised that a “formal lessons learned approach” will be put in place to “systematically” analyse lessons from the Ministry of Justice’s and LAA’s preparation for and response to the cyber-attack in 2025 that compromised the personal data of millions of legal aid applicants.
The review of the incident will cover pre-incident risk management and the response to the incident itself. This will inform future resilience planning, governance improvement and risk mitigation strategies across the Ministry of Justice and its agencies.
In response to a written question from the Labour MP for St Helens South and Whiston, Marie Rimmer, about the adequacy of disaster recovering planning at the LAA prior to the attack, justice minister Sarah Sackman revealed that no digital disaster recovery plan in place before the attack.
The deputy chief executive of the LAA, Jane Harbottle, told MPs last year that the legal aid system had been regarded as vulnerable since 2021 and was rated as “extremely high risk” on the government's risk register.
In the interests of security, the government will not confirm the method by which unauthorised access was gained to the LAA’s online digital systems or details about specific steps taken or measures implemented to protect LAA systems against any future cyber-attacks.
“We take the security of people’s personal data extremely seriously,” Sackman said.
Defending the government’s response to the systems breach last year, the minister said that the Ministry of Justice had published a notice shortly after it became aware of the criminal cyber-attack at 08:15 on 19 May and had contacted as many potentially impacted individuals as possible
The notice, the minister said in her written answer, provided information about the cyber-attack and directed concerned members of the public to the National Cyber Security Centre’s webpage, which contained information on how to protect against the impact of a data breach.
The Legal Aid Agency (LAA) also set up dedicated Customer Services support via a telephone line and email for providers and clients who had concerns regarding the data breach. However, the minister said in her written answer that the agency did not write to clients at all of the addresses on the system as some of those addresses would no longer be current, and that would potentially create another data breach in itself.
The minister also stressed that prior to the cyberattack, the LAA had in place prepared business continuity plans for business-critical processes and services to ensure that access to justice could be maintained in the event of a system outage. “These plans were tried and tested, and we were confident that the measures would be effective for our initial response. These measures gave us sufficient time to design and implement longer term measures to meet the specific needs of the incident that were introduced in June 2025, she said.
The statement published in May 2025 set out information about who may have been impacted and the nature of the information which may have been accessed. “As far as we are aware, no data has been shared or put out in the public domain,” Sackman added. “An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison. If it is identified that a specific individual is at risk, action will be taken to try to contact them.
“Security of the new systems has been paramount as we have rebuilt the LAA’s digital systems following the attack,”
Since the attack, the compromised digital portal has been replaced by a new, secure single sign-in tool for LAA online services (SiLAS). Security on the new system include multi factor authentication, with independent testing activities to validate that the appropriate security controls are in place. A dedicated team will monitor and update the service to ensure it evolves to remain resilient to emerging threats and is supported by a security operations capability.
“While no system can be entirely risk free, we are confident that we have taken the right steps to protect the service and its users,” Sackman said.
Responsibility for disaster recovery planning for digital systems lies with Justice Digital rather than the LAA. Prior to the cyber- attack there was no digital disaster recovery plan in place.
However, had we had a fully funded disaster recovery system, any immediate restoration would have simply restored the systems without resolving the vulnerabilities that enabled the cyber- attack to occur. Justice Digital now have a new Service Owner structure in place where clear Service Standards will be defined and monitored. This will include digital disaster recovery plans for each digital product.
At every stage, we have acted to protect public access to justice and to support providers in delivering legal aid. We have achieved this without affecting court backlogs or police station activity.
Our business continuity planning was effective in maintaining access to justice from the outset of the attack and the need to have longer term options in place is one of the lessons that we have taken from this incident.
Guidance and regular updates for practitioners on how to work with the Legal Aid Board following the cyber attack can be found at https://www.gov.uk/guidance/legal-aid-agency-cyber-security-incident.
