‘Deep concern’ for domestic abuse survivors as cybercriminals expected to publish confidential refuge addresses

Sensitive information about women and girls who have survived domestic abuse is now expected to be exposed through a data extortion incident impacting the British government’s Legal Aid Agency, potentially revealing their locations to abusers and in some cases requiring them to move homes.

The government confirmed the incident on Monday, saying everyone who applied for aid using the service’s online platform since 2010 is believed to be affected.

A spokesperson for the Ministry of Justice (MoJ) said they now believed it was a question of “when, not if” the compromised data is published online — a position aligning with the British government’s commitment to never make an extortion payment to cybercriminals.

The cybercriminals claimed to the MoJ to have data on more than 2 million people, while the department confirmed the data may include “contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.”

As the data covers more than a decade of claims for legal aid, some of the addresses and other material will not be current and may not immediately be of much use to the perpetrators.

However, any repeatedly used addresses could indicate the location of women and children’s refuges, which are often highly confidential to ensure the safety of residents — with staff and other entities connected to the residence signing legal agreements to ensure they remain so.

Emma Pickering, the head of technology-facilitated abuse at Refuge, a charity supporting domestic abuse victims, told Recorded Future News the charity was aware of the data breach and “deeply concerned by the potential risks this poses to survivors of domestic abuse, for whom confidentiality and safety are critical.”

The MoJ has prepared a response plan for when the data is published, with a particular focus on identifying any impacted individuals who would be considered particularly vulnerable and at a high risk of harm, especially if their addresses were exposed.

Survivors of domestic abuse and Violence Against Women and Girls (VAWG) are expected to be at the top of that list, although asylum seekers and victims of modern slavery are also considered vulnerable groups who may need assistance.

Once high-risk individuals are identified, the MoJ expects to make attempts to proactively contact them and ask them to take appropriate steps, although the department recognises that it may prove difficult to reach all of them.

“Data breaches can give perpetrators a unique opportunity to escalate their campaign of abuse if sensitive information about a survivor is made easily accessible,” said Pickering.

“For example, if a survivor’s phone number or email address is leaked, the risk of harassment increases, which can be incredibly distressing for the survivor. 

“We have also seen cases where perpetrators misuse survivors’ contact details to impersonate them, often with the intent of causing financial harm. Data breaches can also reveal a survivor’s location — whether a full address or details of their current city or town —placing them at risk of being tracked by a perpetrator.”

Gareth Mott, a research fellow at the Royal United Services Institute (RUSI) think tank and former lecturer in security and intelligence at the University of Kent, previously told Recorded Future News about research at RUSI highlighting the severe risks faced by domestic abuse survivors in the wake of ransomware attacks.

“We talked to people about ransomware cases where there are domestic violence incidents, for example, where someone has moved house for their safety. And there were cases where they’d had to have a police officer outside the door because someone could come round with a hammer if they saw that data if it was leaked online,” Mott said.

While the British government has secured a legal injunction against the hackers or anyone else distributing this data, such injunctions rarely have an impact on criminals who attempt to operate anonymously and from hostile jurisdictions.

Refuge’s Pickering said risks are heightened when details about survivor’s children are revealed.

“This is particularly common when court documents or protective orders are leaked during a data breach and could seriously compromise a survivor’s safety plan,” she said.

Refuge has informed its service managers about the incident, and they are ensuring that the charity’s frontline staff are able to identify and support any affected service users, where it is safe to do so. It is encouraging survivors of domestic abuse and VAWG who may have submitted legal aid applications to contact their solicitors for further information and guidance.