The UK's Ministry of Justice spent £50 million ($67 million) on cybersecurity improvements at the Legal Aid Agency (LAA) before the high-profile cyberattack it disclosed last year.
The revelation was made in a report published by the Public Accounts Committee (PAC) today, which, alongside a thorough castigation of the MoJ's handling of the unsafe HMP Dartmoor prison, highlights a list of failures and issues regarding the handling of the LAA cyberattack.
Government officials told the PAC that the LAA's security shortcomings had been on its risk register since 2021. The agency's risk rating for a cyberattack was "extremely high," prompting a huge cash injection to address the various issues, split into £8.5 million, £10.5 million, and £32 million rounds.
Both the MoJ and LAA acknowledged that the cyberattack, considered one of the most sensitive in British history, began in December 2024, but was not detected until April 2025.
The Register asked the MoJ for answers regarding the four-month delay. The PAC's report notes that some of the £50 million earmarked for security improvements (part of the £10.5 million funding round) was spent on a new threat detection system that ultimately spotted the intrusion in April. However, the point at which it became operational is not clear.
Speaking to the committee in October, LAA CEO Jane Harbottle said the agency secured funds for the system in 2024, but suggested that it was launched after December 2024. There is no explicit mention of when the system went live, but we await the MoJ's response on that front.
There was also a delay between detecting the attack in April and taking servers offline nearly a month later in May.
According to the PAC, the LAA did not initially understand that legal aid applicant data was compromised. In April, it thought only the details belonging to legal aid providers were involved, at which point it informed them that some financial data such as account and transaction data may have been accessed.
Harbottle told the committee: "On Friday, May 16, we discovered that the attack was a lot more extensive than we had originally understood, and that the group behind it had accessed a large amount of information, potentially relating to legal aid applicants.
"Further investigation at that stage identified that the attacker's first known entry into the system was back on December 31, 2024. At that stage, we immediately took our systems down. We obtained an injunction to stop the onward publication of any details that may appear on the web or on the dark web, and then we instigated contingency measures… across the provider base."
Between April 23 and May 16, senior-level discussions took place daily between the LAA and MoJ about the need to balance access to justice and the risks associated with keeping servers online following the attack.
Contingency plans were ultimately enacted following the server shutdown and while the LAA reported that no providers left the market, the impact on those across the legal sector was "brutal."
Harbottle said that legal eagles' main priority was to keep access to legal aid up and running, which the LAA did, but the more manual processes involved in managing caseloads in the digital era had a profound impact on workers' wellbeing.
The LAA kept funds flowing to legal aid providers during the contingency period by issuing them an average payment, calculated by the average monthly payment for the three months before the attack. From the agency's perspective, it was overpaying providers during this time, but it will be recovering those funds over time.
It is recouping that money at 25 percent of the speed at which the LAA issued it, however, likely taking years to clear the backlog.
Harbottle said: "For every week of contingency, we will recover that week's money over a month. If we have made 20 payments, it will take us 20 months to recoup that money."
MoJ permanent secretary Dr Jo Farrar said the LAA would likely need more money to ensure its entire IT estate is fully transformed.
Asked if that transformation will be accelerated in light of the attack on the LAA, home to the MoJ's highest-risk system, Farrar said it would depend on budget allocations, as an acceleration of the existing plan would require funding.
"At the moment, that is subject to allocation decisions, and obviously, there are lots of funding decisions to balance," she said.
Of the money already allocated to securing LAA systems, some of it was spent on mitigating measures instead of outright system replacements. Farrar said the top priority is to protect the LAA from a cyberattack, and applying mitigations is sometimes the most efficient way of balancing priorities with available funds.
The PAC also asked whether the public can have confidence in the MoJ's systems that they can store personal data securely.
Farrar said the MoJ "comprehensively reviewed" all of its systems, and claimed the department has a clear understanding of where its weaknesses lie.
"As with many other systems, in both the public and private sectors, we are seeing increasingly sophisticated actors who are determined to try and disrupt and access data for criminal purposes," she said.
"We are doing all we can to understand where the risks are and update our systems accordingly. Obviously, as I said earlier, there is a huge cost to that.
"We have dedicated money to the legal aid system, which was identified as our highest-risk system. Other decisions on improvements will now be taken through our allocation process. But, to reassure you, we have the assessment of all our systems, and we know where our risks are." ®
Source: The register