Hacker News new | past | comments | ask | show | jobs | submit login
'Significant amount' of private data stolen in UK Legal Aid hack (bbc.co.uk)
51 points by neversaydie 22 days ago | hide | past | favorite | 40 comments



> The Legal Aid breach is, I’m told, a ransomware/extortion group (not mentioned in the notice). If it looks like the UK gov are going to pay, or pay via third party, this one will become a megathread. https://www.gov.uk/government/news/legal-aid-agency-data-bre... -- https://cyberplace.social/@GossiTheDog/114533584686916433

Note Gossi's "If". There's no indication so far wrt possible payment.


The UK government does not pay ransomware and advises private businesses not to also. https://www.ncsc.gov.uk/section/respond-recover/ml-ransomwar...


I wasn't trying to suggest they wil. I emphasised Gossi's If because I missed it on my first read. I didn't want others making the same mistake.


The official positions of Governments is counter to the actual behaviour in many many circumstances.


> Looks like they were doing everything on AWS for about 6 years.

Ransomed by Jeff Bezos.


Ransom refers to when a person or thing is released, not when it's taken.

Do you mean stolen by Jeff Bezos, or to imply that AWS has another copy of the data?


They are not going to pay anything I guarantee it. There is no randomware. They shut their services down before the attacker could deploy ransomware although the attacker likely accessed data.


> likely accessed data

There's nothing "likely" about it.

> On Friday 16 May we discovered the attack was more extensive than originally understood and that the group behind it had accessed a large amount of information relating to legal aid applicants.

> We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010.

> This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.

source: https://www.gov.uk/government/news/legal-aid-agency-data-bre...


> she understood the news "will be shocking and upsetting for people".

And that's about it. No repercussions will take place.


It is entirely possible the IT was outsourced to the highest bidder, probably with limited liability clauses etc etc. See Post Office for reference, they are still reaping contract money out of the government, years after having been proven as responsible for ruining people's lives for decades, and coverups.


Governments outsource to the lowest bidder. Whoever can do the job for the cheapest.


Here in the UK it's not as simple as that. In order for your bid to be accepted there are a lot of hoops you go through to try to prove yourself.

Unfortunately these make it very hard for people to get contracts with the government, so most government contracts get awarded to a small number of contractors who can maintain the expertise needed to comply with the rules. Often they end up charging more than other companies and doing a worse job.


Your comment is against the site rules on first sight, but it’s at the core of the problem: strong regulation, surveillance and punishment are sorely lacking.


Who do you want to punish exactly?


Cases like this usually boil down to one of three things:

1) Someone left an unpatched server exposed to the Internet for months with a known critical vulnerability.

2) Someone uploaded the data to a world-readable S3 bucket or similar, or left it in an Internet-accessible database server with no authentication.

3) Someone with administrative credentials was using the password "password1!" or similar with no two-factor authentication.

In an ideal world (not the world we live in), in these cases, that someone would be prosecuted for gross negligence.


It seems to me that 1) is the norm, not an exception in large enough corporations and especially government orgs.

Personally, I do not see any other way out of this other than somehow criminalizing running outdated software.


Perhaps. So you prosecute your £30k low rank administrative assistant in charge of the thing. All the other unionized low-paid civil servants immediately go "we didn't sign up for this liability" and refuse to touch anything that could be deemed computer administration. Government grinds to a halt.

Something similar happened to the British Museum a couple of years ago. Almost certainly an even worse pay/qualifications employer.


You prosecute whoever set the system up. The same way you’d prosecute a surgeon for malpractice.

These are professionals. It’s their responsibility to build a solid, secure system. If they can’t or don’t want to then they should find another job.


They are professionals. They cannot upgrade this particular windows server, because the software they're running on it requires visual basic 6.0 support. The vendor cannot provide any upgrade for their system, because certifying anything newer than Windows 2003 for this software is prohibitively expensive for the vendor. You cannot switch vendor due to obscure clauses in contract.

Real situation btw.


Then you're going to have to start paying entry level IT like surgeons. Nobody is going to take that kind of risk for $30K.


More likely, they'd just start carrying errors and omissions insurance for a bit extra.


Or this becomes another profession where everyone gets (and needs) liability insurance.

That might not be a bad thing, if the insurance comes with some kind of way to get lower premiums for being less risky.


since when does entry level IT “call the shots” on reviewing code that gets deployed to prod?

Sure a junior programmer or devops may do something dumb. That’s not the problem - at all. The problem is pretending they are a professional. They are not. They are juniors that need mentorship and should be _expected_ to mess up frequently.

To use a different analogy. If I bring my car to the mechanic, i’m OK with the new guy working on my car, assuming that the senior mechanic, you know, double checks their work. Is that not a reasonable assumption?

None of this makes ANY sense to me. To be blunt.


If the pay difference doesn't reflect that additional responsibility, it probably is not expected


I am not convinced by this attitude of “I am being paid peanuts so I’m not going to do my job”. If you don’t like the salary then find some other job.


You have an incomplete understanding of the situation. The services that have been affected are 3rd party systems, built by the private sector on a government contract. The service was built by people who were not going to support it. It is not possible to upgrade and patch these services. The civil servant developers working on them do what they can, but they have been warming management, who have warned government, that they systems are insecure, but govt won't spend money on updating them.

There are services built by civil servant developers, that are built with security in mind, and they are not affected by this breach.

So it's nothing to do with being paid peanuts, or not wanting to do the best job possible.

It's very easy to backseat drive and offer opinions but your opinion is based on a fallacy.


> The civil servant developers working on them do what they can, but they have been warming management, who have warned government, that they systems are insecure, but govt won't spend money on updating them.

Makes sense. So if i’m understanding this right, the fault basically lies with the decision maker(s) in government who said “nope, not worth paying $x to secure/maintain our systems”

Sounds to me like they shouldn’t be allowed to create these public facing systems in the first place if they can’t afford (or don’t want to) maintain them. no?

That would be like paying someone to build a bridge for you and then deciding to purposely ignore maintenance on the bridge when the experts warn you it needs maintenance.


> Sounds to me like they shouldn’t be allowed to create these public facing systems in the first place if they can’t afford (or don’t want to) maintain them. no?

Have you ever worked in a government job? This is a common reality in those kind of roles. Reality doesn't neatly fit into: "I have enough money to build this thing I desperately need" and "I have enough money to maintain this properly" and "I have enough budget to run the country well enough not to get kicked out of the job"


i have not worked a government job. My father did, in civil engineering in NYC.

In his discipline at least, the government _certainly__ found the money to maintain critical infrastructure. Bridges were routinely painted. Inspected for cracks. The works.

When NYC’s aging water tunnels (providing tap water from upstate NY) were in major disrepair and engineers warned of the damage, guess what happened? They got the funding to build a replacement bypass tunnel to ensure NYC was not impacted. A multi-decade project scheduled to be completed very shortly. They planned ahead. They didn’t ignore the issue and then pretend they couldn’t have predicted this would happen (lol).

From what I can tell, the ONLY reason the same care isn’t given to our IT systems is because the decision makers in charge don’t care. Am i wrong?

I agree that reality is not simple. It’s unfortunate. :(


Sounds about right.

So, shall we not protect people's data?


If someone puts a low rank admin assistant in charge then the boss needs prosecuting. It would be the public sector version of getting the boss's nephew to do it.


But that's not what happened. It wasn't left unpatched because of incompetence of the developers. It's because it cannot be upgraded to a secure version of the software and to replace the entire system would cost a lot of money. Money that the Tory govt didnt want to spend. There are ongoing efforts to reduce reliance on this legacy tech but it's not an overnight solution.


Prosecuting someone for not having a strong enough password is beyond ridiculous. Your ideal world sounds like a black mirror episode.


How would you feel if a bank used a screen door to access their vault? Protecting other people's info comes with responsibility.


How about enforcing strong passwords or non-password authentication at the org level instead of puting rank and file employees to jail?


Me personally I would like to set on fire the very people who begin to consider an upgrade to a major Windows version not earlier than it goes out of extended support.


Could you rephrase this with fewer negations? I cannot parse what you are trying to hate and therefore what point you are trying to make -- "those who begin to consider not earlier than it is not fully supported"


Can't edit anymore, so I have to bear the responsibility of that comment for life.

What I was trying to say is that some orgs upgrade their Windows OS installations after a ridiculous amount of time. Like I have legit seen a company thinking to upgrade to Windows Server 2008. And knowing them I'm sure it will take years to implement.


Gotcha. I couldn't tell because the other extreme drives me crazy too. Hey let's roll out 24H2 to everyone on Windows 11 in December, just in time for the holidays. Why, just why?


just in case people are not aware what "legal aid" or what "Legal Aid Agency" are:

> Legal aid is the provision of assistance to people who are unable to afford legal representation and access to the court system. Legal aid is regarded as central in providing access to justice by ensuring equality before the law, the right to counsel and the right to a fair trial.

> The Legal Aid Agency is an executive agency of the Ministry of Justice (MoJ) in the United Kingdom. It provides both civil and criminal legal aid and advice in England and Wales.

from https://en.wikipedia.org/wiki/Legal_Aid_Agency




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: