In April 2025, attackers accessed the UK Legal Aid Agency's systems. By May, the scale was clear: 2 million records. Names, addresses, National Insurance numbers, criminal histories, financial data. Eighteen years of sensitive personal information.
The Law Society had been flagging the LAA's outdated infrastructure since at least 2023. The vulnerabilities were known. The investment never came. When attackers arrived, the data was waiting.
The post-breach analysis followed a familiar pattern. Security leadership lacked organisational authority. Risk wasn't translated into board language. Governance frameworks weren't robust enough to force the right decisions.
All of that may be true. None of it is the point.
The real question is simple: why did bulk access to 18 years of sensitive records not require a confirmed human authority decision before it executed?
Not a policy. Not a framework. Not a risk register entry. A confirmed, biometric, out-of-band authorisation from a named individual, on a registered device, creating a permanent record of who approved that access.
Your bank requires that confirmation before moving £500. No equivalent control existed on 2 million records of the most sensitive personal data in the legal system.
The LAA breach is not a technology failure or a leadership failure. It is an execution boundary failure. The data was accessible without verified human authority.
That is the gap GoFirm closes.