Data Security
,
Geo Focus: The United Kingdom
,
Geo-Specific
Labour Government Blames Tories

British law firms representing low-income criminal defendants and civil litigants are having to work for free for weeks or decline new cases as the fallout of a cyberattack against the U.K. Legal Aid Agency forced the agency to yank its online portal offline.
Officials from the Labour government of Keir Starmer encouraged members of Parliament anxious for someone to blame to look to the administration of its predecessor Conservative government.
The Ministry of Justice disclosed Monday that a breach of the Legal Aid Agency first detected April was more egregious than thought. Hackers appear to have downloaded records dating back to 2010. Stolen information includes legal aid applicant names, dates of birth, national ID numbers, criminal history and financial details such debts and payments – teeing up concerns for the safety of some recent applicants for legal aid, which includes domestic abuse survivors. The agency, a component of the ministry, provides legal assistance in England and Wales to criminal defendants in need of an attorney and in civil cases relating to families, special needs and housing (see: Hackers Nab 15 Years of UK Legal Aid Applicant Data).
The Law Society Gazette, an in-house news organ of solicitor association the Law Society, reported Friday that law firms have been forced to either take up unpaid jobs or decline cases due to the Legal Aid Agency taking its online portal offline.
An association representing solicitors in the northern cities of Bristol, Birmingham, Leeds, Liverpool and Manchester in a Wednesday statement decried lack of a contingency plan for firms to submit invoices or obtain new clients. “For firms already working on the narrowest of margins, this interruption in work, and possibly in income, places them at real risk of financial instability,” wrote Joint V Law Societies.
In a Thursday update the justice ministry said there are payment backlogs due to the hack and that the agency will clear bills related to civil representation and crown court towards the end of this month.
At a Monday parliamentary briefing on the case, State Minister of Justice Sarah Sackman said the attack did not impact other parts of the Ministry of Justice.
Sackman said the attack stemmed from long-standing vulnerabilities in the Legal Aid Agency systems and that the Law Society in 2023 and again in 2024 called for upgrades. “In short, this data breach was made possible by the long years of neglect and mismanagement of the justice system under the last Conservative government,” Scakman said. Labour took control of government in July 2024 following 14 years of Conservative rule.
Some lawmakers criticized the government’s response as inadequate, with many calling on the government to urgently prioritize replacing the outdated IT systems across the Whitehall.
“Accepting that the government have inherited a legacy of years of underinvestment in Whitehall IT, and that the cost of successful cyberattacks is very high, does it not make sense to raise the level of investment in replacing some of these legacy systems as rapidly as possible?” said William Wallace, a Liberal Democrats member of parliament.
Describing Ministry of Justice IT systems as “unfit for purpose,” Liberal Democrats House of Lords Life Peer Jonathan Marks, called on the government to audit “how far its IT systems can provide the public with a high standard of data security.”
“The reality is that we are working with old and inefficient systems that, frankly, grow creakier and creakier, just as the ingenuity and criminality of the potential attackers becomes ever more sophisticated, not least as the value of personal data rises and the potential for its abuse becomes ever greater,” Marks said.
Concerns regarding the antiquity of British government IT systems have mounted particularly after auditors in January found that the government would not meet a goal to significantly upgrade by this year the defenses of critical functions against cyberattacks. The Government Audit Office laid much of the blame on legacy system (see: Critical UK Government Systems at High Risk, Warn Auditors).
A Ministry of Justice spokesperson said work to replace the outdated systems has been underway since Labour entered government, including dedicating 20 million pounds to transform the Legal Aid Agency’s digital services.
The government has also touted a proposed Cyber Security and Resilience Bill, which is set to be introduced in Parliament, as a means to build cyber resilience. The bill would mandate measures such as mandatory patching for critical infrastructure operators (see: UK Government Previews Cybersecurity Legislation).
“Outdated government IT systems are riddled with security holes, lacking critical updates and patches,” said Dray Agha, security operations manager at Huntress. “Without urgent investment in system upgrades, standardized data-sharing and cybersecurity overhauls, the UK risks leaving citizens exposed to security threats and subpar services.”