Ministry of Justice splurged £50M on security – still missed Legal Aid Agency cyberattack
(2026/01/07)
- Reference: 1767788923
- News link: https://www.theregister.co.uk/2026/01/07/legal_aid_agency_attack/
- Source link:
Updated The UK's Ministry of Justice spent £50 million ($67 million) on cybersecurity improvements at the Legal Aid Agency (LAA) before the high-profile cyberattack it disclosed last year.
The revelation was made in a [1]report published by the Public Accounts Committee (PAC) today, which, alongside a thorough castigation of the MoJ's handling of the unsafe HMP Dartmoor prison, highlights a list of failures and issues regarding the handling of the LAA cyberattack.
Government officials told the PAC that the LAA's security shortcomings had been on its risk register since 2021. The agency's risk rating for a cyberattack was "extremely high," prompting a huge cash injection to address the various issues, split into £8.5 million, £10.5 million, and £32 million rounds.
[2]
Both the MoJ and LAA acknowledged that the cyberattack, considered [3]one of the most sensitive in British history , began in December 2024, but was not detected until April 2025.
[4]
[5]
The Register asked the MoJ for answers regarding the four-month delay. The PAC's report notes that some of the £50 million earmarked for security improvements (part of the £10.5 million funding round) was spent on a new threat detection system that ultimately spotted the intrusion in April. However, the point at which it became operational is not clear.
Speaking to the committee in October, LAA CEO Jane Harbottle said the agency secured funds for the system in 2024, but suggested that it was launched after December 2024. There is no explicit mention of when the system went live, but we await the MoJ's response on that front.
[6]
There was also a delay between detecting the attack in April and taking servers offline nearly a month later in May.
According to the PAC, the LAA did not initially understand that legal aid applicant data was compromised. In April, it thought only the details belonging to legal aid providers were involved, at which point it informed them that some financial data such as account and transaction data may have been accessed.
Harbottle told the committee: "On Friday, May 16, we discovered that the attack was a lot more extensive than we had originally understood, and that the group behind it had accessed a large amount of information, potentially relating to legal aid applicants.
[7]
"Further investigation at that stage identified that the attacker's first known entry into the system was back on December 31, 2024. At that stage, we immediately took our systems down. We obtained an injunction to stop the onward publication of any details that may appear on the web or on the dark web, and then we instigated contingency measures… across the provider base."
Between April 23 and May 16, senior-level discussions took place daily between the LAA and MoJ about the need to balance access to justice and the risks associated with keeping servers online following the attack.
Contingency plans were ultimately enacted following the server shutdown and while the LAA reported that no providers left the market, the impact on those across the legal sector was "brutal."
Harbottle said that legal eagles' main priority was to keep access to legal aid up and running, which the LAA did, but the more manual processes involved in managing caseloads in the digital era had a profound impact on workers' wellbeing.
[8]UK injects just £210M into cyber plan to stop Whitehall getting pwnd
[9]Users report chaos as Legal Aid Agency stumbles back online after cyberattack
[10]Britain's Ministry of Justice just signed up to ChatGPT Enterprise
[11]Millions at risk after attackers steal UK legal aid data dating back 15 years
The LAA kept funds flowing to legal aid providers during the contingency period by issuing them an average payment, calculated by the average monthly payment for the three months before the attack. From the agency's perspective, it was overpaying providers during this time, but it will be recovering those funds over time.
It is recouping that money at 25 percent of the speed at which the LAA issued it, however, likely taking years to clear the backlog.
Harbottle said: "For every week of contingency, we will recover that week's money over a month. If we have made 20 payments, it will take us 20 months to recoup that money."
Further funding needed
MoJ permanent secretary Dr Jo Farrar said the LAA would likely need more money to ensure its entire IT estate is fully transformed.
Asked if that transformation will be accelerated in light of the attack on the LAA, home to the MoJ's highest-risk system, Farrar said it would depend on budget allocations, as an acceleration of the existing plan would require funding.
"At the moment, that is subject to allocation decisions, and obviously, there are lots of funding decisions to balance," she said.
Of the money already allocated to securing LAA systems, some of it was spent on mitigating measures instead of outright system replacements. Farrar said the top priority is to protect the LAA from a cyberattack, and applying mitigations is sometimes the most efficient way of balancing priorities with available funds.
The PAC also asked whether the public can have confidence in the MoJ's systems that they can store personal data securely.
Farrar said the MoJ "comprehensively reviewed" all of its systems, and claimed the department has a clear understanding of where its weaknesses lie.
"As with many other systems, in both the public and private sectors, we are seeing increasingly sophisticated actors who are determined to try and disrupt and access data for criminal purposes," she said.
"We are doing all we can to understand where the risks are and update our systems accordingly. Obviously, as I said earlier, there is a huge cost to that.
"We have dedicated money to the legal aid system, which was identified as our highest-risk system. Other decisions on improvements will now be taken through our allocation process. But, to reassure you, we have the assessment of all our systems, and we know where our risks are." ®
Updated to add at 1600 UTC, January 7
A Ministry of Justice spokesperson told The Register : "This government inherited a legal aid system in crisis – that's why we are investing tens of millions across the board to support hard-working legal aid lawyers.
"We recently confirmed an additional investment of up to £92 million per year in criminal solicitors, alongside a further £20 million in immigration and housing legal aid fees – the first major increase since 1996. This investment will help to tackle years of neglect and will support the sector's long-term sustainability."
Get our [12]Tech Resources
[1] https://committees.parliament.uk/committee/127/public-accounts-committee/news/211166/failure-at-the-ministry-of-justice-scathing-pac-report-holds-department-to-account/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aV6RKxdzBnmiQlgA9oJF_wAAAdQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/05/19/legal_aid_agency_data_theft/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV6RKxdzBnmiQlgA9oJF_wAAAdQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aV6RKxdzBnmiQlgA9oJF_wAAAdQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV6RKxdzBnmiQlgA9oJF_wAAAdQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aV6RKxdzBnmiQlgA9oJF_wAAAdQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2026/01/06/government_cyber_action_plan/
[9] https://www.theregister.com/2025/12/11/legal_aid_agency_recovery/
[10] https://www.theregister.com/2025/10/24/ministry_of_justice_chatgpt/
[11] https://www.theregister.com/2025/05/19/legal_aid_agency_data_theft/
[12] https://whitepapers.theregister.com/
The revelation was made in a [1]report published by the Public Accounts Committee (PAC) today, which, alongside a thorough castigation of the MoJ's handling of the unsafe HMP Dartmoor prison, highlights a list of failures and issues regarding the handling of the LAA cyberattack.
Government officials told the PAC that the LAA's security shortcomings had been on its risk register since 2021. The agency's risk rating for a cyberattack was "extremely high," prompting a huge cash injection to address the various issues, split into £8.5 million, £10.5 million, and £32 million rounds.
[2]
Both the MoJ and LAA acknowledged that the cyberattack, considered [3]one of the most sensitive in British history , began in December 2024, but was not detected until April 2025.
[4]
[5]
The Register asked the MoJ for answers regarding the four-month delay. The PAC's report notes that some of the £50 million earmarked for security improvements (part of the £10.5 million funding round) was spent on a new threat detection system that ultimately spotted the intrusion in April. However, the point at which it became operational is not clear.
Speaking to the committee in October, LAA CEO Jane Harbottle said the agency secured funds for the system in 2024, but suggested that it was launched after December 2024. There is no explicit mention of when the system went live, but we await the MoJ's response on that front.
[6]
There was also a delay between detecting the attack in April and taking servers offline nearly a month later in May.
According to the PAC, the LAA did not initially understand that legal aid applicant data was compromised. In April, it thought only the details belonging to legal aid providers were involved, at which point it informed them that some financial data such as account and transaction data may have been accessed.
Harbottle told the committee: "On Friday, May 16, we discovered that the attack was a lot more extensive than we had originally understood, and that the group behind it had accessed a large amount of information, potentially relating to legal aid applicants.
[7]
"Further investigation at that stage identified that the attacker's first known entry into the system was back on December 31, 2024. At that stage, we immediately took our systems down. We obtained an injunction to stop the onward publication of any details that may appear on the web or on the dark web, and then we instigated contingency measures… across the provider base."
Between April 23 and May 16, senior-level discussions took place daily between the LAA and MoJ about the need to balance access to justice and the risks associated with keeping servers online following the attack.
Contingency plans were ultimately enacted following the server shutdown and while the LAA reported that no providers left the market, the impact on those across the legal sector was "brutal."
Harbottle said that legal eagles' main priority was to keep access to legal aid up and running, which the LAA did, but the more manual processes involved in managing caseloads in the digital era had a profound impact on workers' wellbeing.
[8]UK injects just £210M into cyber plan to stop Whitehall getting pwnd
[9]Users report chaos as Legal Aid Agency stumbles back online after cyberattack
[10]Britain's Ministry of Justice just signed up to ChatGPT Enterprise
[11]Millions at risk after attackers steal UK legal aid data dating back 15 years
The LAA kept funds flowing to legal aid providers during the contingency period by issuing them an average payment, calculated by the average monthly payment for the three months before the attack. From the agency's perspective, it was overpaying providers during this time, but it will be recovering those funds over time.
It is recouping that money at 25 percent of the speed at which the LAA issued it, however, likely taking years to clear the backlog.
Harbottle said: "For every week of contingency, we will recover that week's money over a month. If we have made 20 payments, it will take us 20 months to recoup that money."
Further funding needed
MoJ permanent secretary Dr Jo Farrar said the LAA would likely need more money to ensure its entire IT estate is fully transformed.
Asked if that transformation will be accelerated in light of the attack on the LAA, home to the MoJ's highest-risk system, Farrar said it would depend on budget allocations, as an acceleration of the existing plan would require funding.
"At the moment, that is subject to allocation decisions, and obviously, there are lots of funding decisions to balance," she said.
Of the money already allocated to securing LAA systems, some of it was spent on mitigating measures instead of outright system replacements. Farrar said the top priority is to protect the LAA from a cyberattack, and applying mitigations is sometimes the most efficient way of balancing priorities with available funds.
The PAC also asked whether the public can have confidence in the MoJ's systems that they can store personal data securely.
Farrar said the MoJ "comprehensively reviewed" all of its systems, and claimed the department has a clear understanding of where its weaknesses lie.
"As with many other systems, in both the public and private sectors, we are seeing increasingly sophisticated actors who are determined to try and disrupt and access data for criminal purposes," she said.
"We are doing all we can to understand where the risks are and update our systems accordingly. Obviously, as I said earlier, there is a huge cost to that.
"We have dedicated money to the legal aid system, which was identified as our highest-risk system. Other decisions on improvements will now be taken through our allocation process. But, to reassure you, we have the assessment of all our systems, and we know where our risks are." ®
Updated to add at 1600 UTC, January 7
A Ministry of Justice spokesperson told The Register : "This government inherited a legal aid system in crisis – that's why we are investing tens of millions across the board to support hard-working legal aid lawyers.
"We recently confirmed an additional investment of up to £92 million per year in criminal solicitors, alongside a further £20 million in immigration and housing legal aid fees – the first major increase since 1996. This investment will help to tackle years of neglect and will support the sector's long-term sustainability."
Get our [12]Tech Resources
[1] https://committees.parliament.uk/committee/127/public-accounts-committee/news/211166/failure-at-the-ministry-of-justice-scathing-pac-report-holds-department-to-account/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aV6RKxdzBnmiQlgA9oJF_wAAAdQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/05/19/legal_aid_agency_data_theft/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV6RKxdzBnmiQlgA9oJF_wAAAdQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aV6RKxdzBnmiQlgA9oJF_wAAAdQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV6RKxdzBnmiQlgA9oJF_wAAAdQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aV6RKxdzBnmiQlgA9oJF_wAAAdQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2026/01/06/government_cyber_action_plan/
[9] https://www.theregister.com/2025/12/11/legal_aid_agency_recovery/
[10] https://www.theregister.com/2025/10/24/ministry_of_justice_chatgpt/
[11] https://www.theregister.com/2025/05/19/legal_aid_agency_data_theft/
[12] https://whitepapers.theregister.com/
Re: FFS!!
Doctor Syntax
Being closer to the courts and the cases that go through them than most of the government they really should have been aware of the principle that you do not stop people intent on breaking laws by providing them with more laws (or injunctions) to break.
Look over there!
elsergiovolador
Look! We have thrown money okay?
On the other hand, suppliers not named? Interesting.
No matter how much money/infosec talent you throw at it...
Tron
...if a system is connected to the net it is vulnerable.
Keep your intranet and data offline. Maintain disposable systems with minimal data online. Design out as much of the risk as you can.
Risk Registers
Anonymous Coward
In my experience risk registers just end up getting gamed to make numbers look good. In a firm I worked at we had to include risks in the cost-to-complete (CTC) at a value of risk factor x cost impact but if the risk were over 60% then it had had to be accounted for at 100% in the the CTC. Once a project got in the shit the monthly reviews with the board ended up being almost completely dedicated to arguing the finer points of whether a risk was, say 65% or could be downgraded because we'd done enough work to mitigate some of it. Taking a risk from 60% to 55% could remove a shedload of cost from the CTC and hence shield the local directors from a kicking from their bosses at head office. Risk registers became like tree rings; you could tell how long a project had been running by how many risks were sitting in the 50%-59%.
fnusnu
That's not an update, that's a party political broadcast!
FFS!!
"We obtained an injunction to stop the onward publication of any details that may appear on the web or on the dark web"
Yes, that's how you stop a Cyber Crim, take out an injunction....
This, I suspect, is half the issue, applying MoJ LAA logic to a Cyber Issue.
Who on earth has been advising them?
I'd be asking for a refund, or looking for some COMPO! Maybe they can get legal aid? :)