Ministry of Justice discloses two ransomware attacks

The first case was targeted against the London Borough of Hackney in October 2020, and the second was against Ubiqus, a data processor which provides court recordings and transcription services, in December 2020.

The data, analysed by niche litigation practice Griffin Law, was uncovered in the Ministry of Justice’s Annual Report and Accounts, and both cases were reported to the Information Commissioner’s Office.

According to the report, the first attack perpetrated against the London Borough of Hackney potentially compromised personal data which affected an “unknown” number of people. The incident was reported to the ICO on 29^th October, and their response is still pending.

The second attack against Ubiqus also impacted personal data of an “unknown” quantity of people. The ICO closed their investigation in this case and no further action was taken.

In total, between April 2020 and March 2021, 16 significant personal data incidents, impacting approximately 5,476 people, were reported to the Information Commissioner’s Office from the Ministry of Justice.

The largest incident spanned seven months and potentially impacted over 5,200 individuals and 55 companies. This was due to an inaccurate change to ‘plea data’.

In another case, vaccination status data from up to 25 HMPPS staff were stolen from a third party occupational health provider staff member, following a vehicle break in. The data was eventually returned to HMPPS.

There were also a further 6,267 incidents during the time period which did not meet the threshold to be reported to the ICO.

These discoveries come a month after the announcement of the UK government’s National Cyber Strategy 2022 which aims to build a strong and resilient cyber landscape using prosperous digital infrastructure to aid against ransomware attacks. The government have committed to spending £22bn on research and development with technology taking a central role in national security.

Donal Blaney, Founder of Griffin Law, commented: “The Ministry of Justice and Courts and Tribunals Service are a joke. For the rule of law to mean anything, courts have to be adequately funded, properly staffed and competently run. If the MoJ and HMCTS cannot get their own houses in order, what faith can we have as a society that our justice system is no being run in a similarly inept manner?”

Tim Sadler, CEO- and Co-Founder of Tessian, commented: "The threat of ransomware continues to spread like wildfire, causing devastating damage to companies and operations, and the sad fact is that it shows no sign of slowing down. With the majority of ransomware attacks starting with a phishing attack, organisations across all sectors must have the measures in place to catch these malicious emails as soon as they land in an inbox. This will drastically reduce the chance of a tired, distracted or naïve employee from opening or responding to a convincing or tailored spear phishing email."

Edward Blake, Area Vice President EMEA for Absolute Software, commented: “Ransomware attacks have surged in sophistication and quantity over the last 24 months, and all organisations have been, and will continue to be, impacted by this growing threat trend. As a result, it is no longer safe to assume that bad actors haven’t already secured the means to breach a business’s system. Therefore, implementing Zero Trust protocols to prevent malicious parties from moving laterally through a business’s network is a vital precaution that organisations must take to protect themselves against this elevated cyber threat.

“Furthermore, protecting devices with resilient endpoint security that comes equipped with self-healing capabilities is vital in ensuring that applications remain healthy, and endpoints are fully protected against external cyber attacks.”