Lessons Learned from the Legal Aid Agency Data Breach – IT Governance Blog

The MoJ (Ministry of Justice) has disclosed that the LAA (Legal Aid Agency) suffered a data breach last month, in which criminals accessed data relating to hundreds of thousands of people, dating back to 2010.

Exfiltrated data may have included “contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments”.

According to the BBC, more than 2 million pieces of information were taken, including data relating to “domestic abuse victims, those in family cases and others facing criminal prosecution”.

It’s not known whether the personal data was encrypted or anonymised.

Access to the system was shut down after the breach was discovered and an investigation was launched.

At the time of writing, there’s no evidence the data has been published online or used for further malicious activity. However, the nature of the compromised information means that affected individuals are now at a heightened risk of identity theft and targeted fraud.

Political context

This isn’t the first time the MoJ or its agencies have faced scrutiny for data security failings.

In 2020, the Ministry was criticised after reporting a series of serious data breaches affecting over 120,000 people and a further 6,425 data security incidents, most of which related to unauthorised disclosure and were not serious enough to be reported to the ICO (Information Commissioner’s Office).

And in 2019, Freedom of Information requests revealed that the number of MoJ laptops that had been lost or stolen had increased by 400% over three years.

The most recent breach has, therefore, inevitably prompted political debate about public-sector IT and cyber security spending: in the Commons earlier this week, Sarah Sackman MP, the Minister of State for Courts and Legal Services, said the “data breach was made possible by the long years of neglect and mismanagement of the justice system under the last Conservative Government. They knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act”.

It’s worth noting that any specific vulnerabilities have not been made public yet, nor do we know who carried out the attack. The LAA has confirmed it is cooperating with the NCA (National Crime Agency), NCSC (National Cyber Security Centre) and the ICO to determine the breach’s cause.

Lessons for all sectors

Irrespective of the specific causes, the breach at the Legal Aid Agency should serve as a warning to all organisations – public and private alike – that underestimating cyber risks is fraught with danger. So, what can we learn from the incident?

Dr Loredana Tassone, managing consultant for our sister company GRCI Law and head of its EU and UK representative services, comments:

“Based on GRCI Law’s experience advising public bodies, vulnerabilities often stem from gaps in governance, in deploying appropriate technical and organisational measures, in underestimating the need to conduct risk assessments, and not complying with the privacy by design principle.

“In summary:

• Lack of a thorough DPIA (data protection impact assessment)
  DPIAs are essential when processing sensitive personal data or engaging third-party suppliers, to identify and mitigate risks before operations begin.
• Insufficient due diligence on suppliers
  Organisations must rigorously assess suppliers’ data protection capabilities and track records before engagement. This includes understanding their security posture and compliance with data protection laws.
• Inadequate security measures
  Weaknesses such as outdated software, insufficient encryption, poor access controls or lack of multi-factor authentication can be exploited by attackers.
• Unclear or incomplete contractual agreements
  Robust contracts must clearly define data protection responsibilities, including obligations for data breach notification, use limitation and data retention policies.
• Weak oversight of data sharing and international transfers
  Where data moves beyond the UK or EU, comprehensive TIAs (transfer impact assessments) or TRAs (transfer risk assessments) are needed to evaluate risks so that appropriate safeguards are applied. Monitoring such transfers through ongoing audits is critical.
• Under-resourced DPO (data protection officer) functions
  Effective monitoring requires DPOs to have adequate authority, resources and independence to oversee supplier compliance, conduct audits and enforce corrective actions.

“Preventing breaches requires a holistic approach combining these governance, contractual and technical elements, backed by ongoing risk assessment and audit programmes. It is essential overall that the DPO and, more generally, the compliance team are given enough human and financial resources to be able to develop an adequate data privacy and cyber security compliance programme, especially in the justice sector, where failing to protect personal data can result in other fundamental rights being infringed.”

Penetration testing – identifying weaknesses before attackers do

One of the most effective ways to detect and fix security gaps is to commission regular penetration testing. A penetration test simulates an attack on your systems to identify exploitable vulnerabilities – including those related to configuration errors, missing patches, or weak access controls.

For public bodies like the LAA, such tests can provide evidence of due diligence and inform risk treatment plans. For private organisations, penetration testing is a vital part of any risk-based cyber security strategy.

It is especially valuable where organisations handle sensitive personal data, face regulatory requirements or operate in a high-threat environment.

Don’t leave your vulnerabilities to chance. Collaborate with a team that understands your risks and delivers actionable solutions.

Contact our penetration testing experts today to discuss your security needs.