What is a "detection delay" in a data breach?

Detection delay is the time between an attacker entering a system and the organisation discovering the intrusion.

Why do attackers try to stay undetected?

Attackers try to stay undetected so they can explore systems identify valuable data and extract it slowly without triggering alerts.

Does longer dwell time usually increase the impact?

It can because a longer dwell time allows attackers to access more systems and copy a larger volume of records before the breach is stopped.

Is a four-month delay a big deal?

Yes a four-month delay is significant when highly sensitive legal and financial data may have been exposed and attackers could be building dossiers on individuals.

How can a breach go undetected for months?

Common reasons include limited monitoring weak alerting rules or legacy systems that lack comprehensive logging which means the intrusion slips through until the damage is noticed.

Does a delay automatically mean negligence?

Not automatically legal responsibility depends on what security measures were reasonable for the organisation in context and whether the controls met industry standards at the time.

Can detection delay affect compensation outcomes?

It may be relevant to arguments about security controls and preventability but compensation outcomes vary based on evidence and the individual impact.

What questions do regulators ask about delay?

Regulators typically ask what monitoring existed which alerts fired if any what was missed and what improvements were made after the delay was discovered.

Does a delay increase phishing/scam risk?

Potentially because stolen data can be used later to craft convincing scams that reference the breach or the victim's legal aid application.

What should affected people do differently because of a long delay?

Be cautious about unexpected calls or messages referencing legal aid keep a record of suspicious contact and report anything that looks like an attempt to exploit the delay.

Data breach detection delay

The four-month delay between the Legal Aid Agency incident and confirmation means attackers had time to explore systems. Understanding dwell time and delayed breach detection helps you decide how to keep your data secure and support any claim.

This page explains why detection delay matters, the controls investigators review and what it could mean for compensation arguments.

Back to the main claim hub Check my eligibility Evidence checklist

Delay, dwell time and why it matters

Dwell time refers to how long attackers remain inside a system undetected. In this incident, it is believed the Legal Aid Agency breach remained hidden for 4 months, giving the attackers space to collect sensitive legal aid data. That time can drive up the impact for individuals because more records are exposed and more convincing scams can be generated later.

1. Investigators look at the timestamp of the first intrusion and when the incident was detected.
2. A longer delay can highlight gaps in logging, monitoring or alerting.
3. Regulators also want to know what changes were made once the breach was discovered.

FAQs about detection delay

Last updated: 3 January 2025