Recommendation 25

We asked LAA why it had taken so long to detect the attack and to then take systems offline.48 LAA explained that the risk of a cyberattack on its systems had been rated as extremely high on MoJ’s risk registers since 2021. It told us that MoJ had subsequently provided over £50 million in total to help address some of the system issues and improve security, which allowed it to implement a new security monitoring service.49 It explained that it was 42 Qq 62, 65 43 Q 58 44 Law Society of England and Wales (MOJ0002); Public Law Project (MOJ0004); The Law Centres Network (MOJ0008) 45 Law Society of England and Wales (MOJ0002) 46 Q 70 47 Q 70 48 Q 71 49 Qq 71, 96 15 this new service which meant it was able to detect the breach in April 2025. On the delay to taking its systems down, LAA told us that discussions at senior levels around the trade-offs between access to justice and the risks posed by the cyberattack were ongoing between April and May 2025. However, it said that it did not discover the full extent of the attack—that a large amount of information relating to legal aid applicants may also have been accessed—until 16 May 2025, at which point it took systems offline.50