Legal Aid Agency cyber-security incident - Frequently Asked Questions
Frequently asked questions about the Legal Aid Agency cyber-security incident.
Client data breach
Who might have been impacted by this breach?
We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010.
This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.
What provider information has been breached?
We communicated to legal aid providers on 30 April that we believe that some financial details of providers may have been exposed including bank account numbers and sort codes. We have recommended providers remain vigilant for any unusual activity on their accounts.
What steps should I take to protect myself?
We would recommend anyone who believes they could be involved in this data breach to take steps to protect themselves. This includes being alert for any suspicious activity, messages or phone calls and taking steps to update passwords. If in doubt about anyone you are communicating with online or over the phone, to verify their identity independently before engaging further with them. The National Cyber Security Centre’s webpage contains information on how to protect yourself from the impact of a data breach. The webpage can be found at https://www.ncsc.gov.uk/guidance/data-breaches.
Why did two payments appear in my account w/c 19 May?
Following the extended downtime of the LAA Portal on 8 and 9 May, the LAA worked hard to process as much of the backlog as possible to ensure providers received the payments they are due. To do this it is was necessary to undertake two payment runs.
What bills will be paid in the payment run for on 27 May?
Civil Representation and Crown Court Bills authorised up to Friday, 16 May.
Are provider IT systems at risk?
There is no direct risk. There is no direct connection from LAA systems to any provider system – it is a one-way provider to LAA connection only.
Do legal aid providers need to contact clients?
There is no contractual obligation on providers to report this incident to the ICO or to inform clients. The data impacted by this incident is either owned by the LAA or is considered Shared Data within the definition of the contract. The contract at clause 16.3 of the standard terms sets out that the responsibilities of the data controller will be exercised by the party in possession of the data – in this case by MoJ as the data controller for LAA. MoJ has notified the ICO of the incident, and has notified data subjects through the public announcement on GOV.UK on 19 May.
Legal aid operations and communications
Why is the Portal offline?
A message updating providers on the position was sent on Monday, 19 May. Following the planned weekend outage last week the decision was taken to keep the Portal offline at this time. Providers will receive a further update on access to the system on Thursday 22 May.
Should clients continue to make contributions?
Contributions for existing certificates will continue as normal, however, it would be appreciated if clients could be advised to take particular care to provide valid payment references such as Case ref, CCMS account number or invoice number.
I did not receive the email notification, why not?
All providers and barristers registered on the portal were sent the message. Please check whether your spam filters have blocked incoming emails from the LAA. You will need to ensure you are able to receive messages from communicationsdepartment@justice.gov.uk to ensure that you receive future correspondence. Alternatively, please speak to your LAA Contract Manager in the first instance if you think you are not receiving LAA emails to ensure that your correct details are on file.
Can I correspond with the LAA by email?
Yes, there is no concern with email communication.