Home / Sources / Select Committees / Recommendation 6
Index live · Last sync 23 May 2026
← Rec 5
Rec 1 →
Source · Select Committees · Public Accounts Committee

Recommendation 6

6 Accepted

Require MoJ and LAA to detail cyberattack lessons and funding for system vulnerabilities.

Recommendation
Despite lessons learned from the cyberattack on the LAA, funding to address weaknesses across MoJ systems is uncertain. Vulnerabilities in LAA’s systems had been on MoJ’s risk register since 2021. However, MoJ’s investment of over £50 million to transform and stabilise LAA’s systems was insufficient to prevent hackers accessing a large amount of both provider and legal aid applicant data. While the investment led to improvements that enabled LAA to identify the breach in April 2025, this came four months after attackers initially accessed the system in December 2024. LAA recognises that contingency measures it put in place as services were taken offline have created additional pressures for providers and its staff, and that there are several lessons to be learned from the crisis that can be shared across government. For example, the importance of longer-term continuity plans, and of ensuring that senior leaders understand the vulnerabilities associated with their systems. Following the attack, MoJ reviewed all of its systems to identify where vulnerabilities exist but addressing these vulnerabilities will depend on its internal decisions on how it allocates its Spending Review settlement. recommendation In the Treasury Minute response, the Ministry of Justice and the Legal Aid Agency should set out: • the lessons it has learned from the crisis and how and when it plans to share these lessons with other government departments. • whether it has sufficient funding to address the key risks identified from the review of its systems, once allocations are decided. 6 1 MoJ and HMPPS’s decision to renew the HMP Dartmoor lease Introduction
Government Response Summary
The government agrees with the recommendation, detailing numerous ways lessons learned from the cyberattack have been shared across government. It also confirms that funding has been allocated for the transformation of LAA systems for 2026-2029, alongside continuous security reviews.
Government Response Accepted
HM Government Accepted
The government agrees with the Committee’s recommendation. several routes. Internally, across MoJ, this has taken place at: MoJ Audit and Risk Assurance Committee; within the MoJ Executive Committee and Senior Leadership Group; and with the HMCTS Executive Leadership Team. Lessons have also been shared with Permanent Secretaries as part of their weekly cross-government meetings, and to the cross-government data practitioners’ network. In the months following the attack the department shared technical details with public sector security teams through the Government Cyber Coordination Centre (GC3) Impact Coordination Group, as well as writing to the HMG Chief Information Security Officer (CISO) network. The department has also taken experiences of the attack and developed a tabletop exercise that can be used by other departments to role play the scenario and test their thinking and business continuity systems against. This has been shared with the Government Cyber Unit for ongoing use. The MoJ and LAA continue to work to identify lessons and to share these with stakeholders and are attending the National Cyber Security Centre (NCSC) CyberUK conference as a panel member in April 2026. Further sessions will be provided to assist any other department that requests it and the department has also offered to share learnings across the Operational Delivery Profession. The Chief Executive of the Legal Aid Agency (LAA) set out the initial lessons learned at the Committee evidence session in October 2025, including the need for senior leaders to ensure that cyber-vulnerabilities are fully understood and business continuity plans cover a long period. The government agrees with the Committee’s recommendation. Recommendation Implemented The MoJ has allocated funding to the transformation of LAA systems over the 2026- 2029 period. However, the department recognises that the landscape, particularly in relation to cyber security, continues to evolve. The department is taking a continuous assurance approach, reviewing and updating requirements based on latest security guidance from MoJ Digital and wider Government (NCSC), alongside agreed allocated funding. The department will apply government cyber security standards and the ‘secure by design’ principles as appropriate to all new systems. The department has established escalation and governance routes in the event that new risks exceed current mitigation and controls. The department has effective mechanisms for seeking re-allocation and approval of funding in the event that specific targeted investment is required. 16

Source

View on Parliament website ↗

Addressee Bodies

HM Treasury

Timeline

Recommendation age 0.4 yrs
Report published 07 Jan 2026