The Legal Aid Agency Breach Incident Score: Analysis & Impact (THE31101331112625)

In this Rankiteo incident briefing, we review the The Legal Aid Agency breach identified under incident ID THE31101331112625.

The analysis begins with a detailed overview of The Legal Aid Agency's information like the linkedin page: https://www.linkedin.com/company/the-legal-aid-agency, the number of followers: 18588, the industry type: Legal Services and the number of employees: 354 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 753 and after the incident was 607 with a difference of -146 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on The Legal Aid Agency and their customers.

On 20 May 2024, Ministry of Justice (MoJ), UK disclosed Data Breach and Data Extortion issues under the banner "Data Breach at UK Ministry of Justice's Legal Aid Agency".

Hackers accessed a large amount of personal and sensitive information from individuals who applied for legal aid in England and Wales via the Legal Aid Agency’s online platform since 2010.

The disruption is felt across the environment, affecting Legal Aid Agency’s online platform, and exposing Contact details (names, addresses), Dates of birth and National ID numbers, with nearly Over 2 million (claimed by hackers; MoJ did not confirm exact number) records at risk.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Legal injunction against data distribution and Online service taken offline, and began remediation that includes Bolstering security of systems with NCSC support, and stakeholders are being briefed through Public disclosure via MoJ statement, Apology from Legal Aid Agency CEO Jane Harbottle and Warnings to law firms about compromised financial data.

The case underscores how Ongoing (NCA, NCSC, and MoJ collaborating), teams are taking away lessons such as Vulnerabilities in public sector digital services can have severe consequences for marginalized populations, Legal injunctions may be ineffective against anonymous, jurisdictionally hostile threat actors and Critical public services (e.g., legal aid) may lack the same resilience as traditional critical national infrastructure (CNI), and recommending next steps like Enhance cybersecurity measures for public-facing digital services, particularly those handling sensitive data, Prioritize protection of public services alongside traditional CNI in national cybersecurity strategies and Improve incident response coordination between government agencies (e.g., MoJ, NCSC, NCA), with advisories going out to stakeholders covering Warnings issued to law firms about compromised financial data and Public apology and updates from Legal Aid Agency CEO Jane Harbottle.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate to high confidence (85%), with evidence including hackers breached the **Legal Aid Agency’s online platform**, and legal Aid Agency’s online service taken offline to contain the breach. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), with evidence including accessing and exfiltrating a **massive trove of sensitive personal data** from over **2 million legal aid applicants**, and hackers downloaded significant amounts of data and Data from Information Repositories (T1039) with high confidence (90%), supported by evidence indicating compromised data includes **full names, contact details, dates of birth, national ID numbers, criminal histories**. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (80%), with evidence including exfiltrating a massive trove of sensitive personal data, and hackers downloaded significant amounts of data (method unspecified but implied). Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with lower confidence (0%), Data Destruction (T1485) with lower confidence (0%), Inhibit System Recovery (T1490) with moderate to high confidence (70%), supported by evidence indicating the agency **shut down its online service** to contain the breach, disrupting critical public legal services, Service Stop (T1489) with high confidence (90%), with evidence including legal Aid Agency’s online service taken offline, and disrupting critical public legal services, and Data Theft for Extortion (T1659) with high confidence (95%), with evidence including attackers, engaged in **data extortion**, threatened to **publish the data online**, and ransomware such as data exfiltration such as Yes (data extortion incident). Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with lower confidence (30%), supported by evidence indicating no direct evidence, but implied by lack of forensic details on persistence/artifacts in report. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with lower confidence (20%). Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with lower confidence (40%), supported by evidence indicating no explicit evidence, but **online platform breach** suggests potential credential misuse or exposure. Under the Discovery tactic, the analysis identified File and Directory Discovery (T1083) with moderate to high confidence (70%), supported by evidence indicating accessing and exfiltrating a massive trove of sensitive personal data implies reconnaissance of data repositories. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.