Legal Aid Cyber Attack: A Significant Amount Of Personal Data Stolen
In late April, it was revealed that the online digital services for Legal Aid, the Government agency responsible for providing legal funding, had been hit by a cyber attack. It was initially thought that the only systems compromised were the ones which allow Legal Aid providers to log the work that they complete and receive payments from the Government, but we now know that in addition to this, a significant amount of personal data, including contact details, addresses, dates of birth, criminal records, national ID numbers, employment status has also been compromised. It is estimated that roughly 2 million pieces of data are affected.
This comes after retailers Marks & Spencer and the Co-op were hit by cyber attacks, though at this time there is no evidence that those incidents are related to this one.
At this time, it is unknown what methods of attack were used to gain access to these systems, but we do know that the vulnerabilities of the Legal Aid systems has been known for many years, and as these systems became more and more outdated, the risk of an attack grew, with no meaningful action being taken to fix these issues. It was also revealed that the previous Government were made aware of these issues repeatedly, but no action was taken, which demonstrates the long term neglect of these systems.
In response to this incident, Jane Harbottle, Chief Executive Officer of the Legal Aid Agency expressed her regret over the incident, apologising and saying that she understands the news is upsetting for those impacted. Following the incident, they have been working tirelessly to enhance the security of impacted systems to ensure that there is as little disruption to their activities as possible.
In addition to this, contingency plans have been implemented to ensure that the individuals who require legal support during this time still have access to the help they need. They plan to provide future updates as the situation develops and have also reaffirmed their commitment to keeping the data they store safe and secure.
What are they key takeaways from this?
The investigation from this incident is still ongoing, though that doesn’t mean there are a few lessons that can be learnt from this that will also apply to your business.
Don’t ignore cybersecurity vulnerabilities: Ignoring known vulnerabilities in systems increases the risk of a successful cyber attack. Vulnerabilities can come in many forms, such as having outdated systems or not enough authentication or access control measures in place.
Regularly assess and update systems: While the exact cause of this incident is unknown, it is very clear that systems being outdated played a significant factor. Ensuring your own systems are up to date helps you remain protected against modern cybersecurity threats. This includes things such as the operating systems that your work devices run on, such as Windows, which get frequent patches to remove system vulnerabilities.
Personal data is always a high-value target for attackers: Cyber attackers often focus on stealing large volumes of personal data. In this case, over 2 million pieces of personal data were stolen, which may either be sold or be used for things such as phishing scams. Your organisation must ensure that the appropriate safeguards are in place to keep the personal data you store and process as safe as possible. The reputational, legal and financial fallouts from these incidents can often be catastrophic for a business, especially smaller ones.
The way you respond to incidents is vital: The way you respond to a data breach matters. In this case, the CEO was quick to issue an apology for the incident, where they were transparent about what they know about the incident and the impact it may have on individuals. They also shared contingency plans, promised improvements to security and confirmed that they will keep the public informed about future developments.
Contingency planning is essential: Even during a crisis, services must continue as normal, especially for an organisation such as Legal Aid. The contingency plans that they had in place meant that they could continue to support services even when dealing with this incident. It’s important that your business has some form of business continuity and disaster recovery procedure in place to stop your business from screeching to a halt in the face of an incident.
To learn more about what constitutes a data breach, what steps need to be taken and how PRIVACY HELPER can assist, take a look at our Data Breach page.
