The LAA said it discovered the attack on 23 April, taking immediate action to bolster security and inform legal aid providers. However, on 16 May, it discovered the attack was more extensive than first thought.
The LAA believes the hackers have accessed and downloaded a ‘significant amount’ of personal data from those who applied for legal aid through its digital service since 2010.
This data may include contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.
Jane Harbottle, the LAA’s chief executive officer, said: ‘I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened.’
In a statement, the LAA advised all those potentially affected to be ‘alert for any suspicious activity such as unknown messages or phone calls and to be extra vigilant to update any potentially exposed passwords’. It warned against providing information to anyone contacting them unless they had first independently verified their identity.
Colin Witcher, barrister at Church Court Chambers, said: ‘As a result of this recent attack, a review of the LAA's data retention policy will be required as, notably, personal material has been accessed and downloaded dating back to 2010, bringing into question why this data was still retained and accessible.’
Law Society president Richard Atkinson said: ‘The incident once again demonstrates the need for sustained investment to bring the LAA’s antiquated IT system up to date and ensure the public have continued trust in the justice system.
‘The fragility of the IT system has prevented vital reforms, including updates to the means test that could help millions more access legal aid, and interim payments for firms whose cashflow is being decimated by the backlogs in the courts, through no fault of their own. If it is now also proving vulnerable to cyber-attack, further delay is untenable.’