Millions of Legal Aid applicants at risk after “Severe and Expansive” Cyber-Attack on government system

 The Ministry of Justice has confirmed that hackers have accessed and stolen a vast amount of sensitive data from the Legal Aid Agency (LAA), in what experts are calling one of the most serious breaches in the history of Britain’s criminal justice system.

The breach, first detected on 23 April 2025, targeted the online system used by legal aid providers to log work and receive payments from government. However, it wasn't until 16 May that MOJ realised the true scale of the incident: personal data relating to everyone who applied for legal aid via the online platform since 2010 had likely been downloaded by the attackers.

Widespread Exposure of Sensitive Data

The compromised data includes contact information and home addresses; dates of birth and national ID numbers; criminal history and employment status; financial data, including debt levels, contributions, and payments.

This potentially affects over 2 million individuals, many of whom are among the most vulnerable in society. MOJ has advised all past applicants to be on high alert for suspicious messages, phishing attempts, and potential identity fraud.

A legal injunction has been secured to prevent dissemination of the stolen data, but cyber experts say such actions have limited impact when threat actors operate anonymously from hostile jurisdictions.

Agency Chief: “Radical Action Was Necessary”

In a public statement, Jane Harbottle, Chief Executive Officer of the Legal Aid Agency, expressed deep regret: “I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened. Since the discovery of the attack, my team has been working around the clock with the National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency.”

“However, it has become clear that to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down.”

Contingency plans have been activated to ensure that legal support continues to be available, particularly for those in urgent need.

National Security Concerns

Richard Atkinson, President of the Law Society of England and Wales, called the breach “extremely concerning,” urging the LAA to regain control of the situation immediately.

Security experts have highlighted the uniquely damaging implications of a breach affecting legal aid data. This type of information - particularly where it involves domestic violence or witness protection cases - could have real-world safety consequences if published. Legal aid applicants are disproportionately likely to be victims of abuse or involved in high-risk situations.

An Unfolding Crisis

Although the government has not confirmed the identity of the attackers, officials from the National Crime Agency and National Cyber Security Centre are leading an investigation. While the group behind the intrusion is believed to be attempting extortion, the exact motive remains unclear.

Publicly available data indicates that 388,888 legal aid applications were made in the year from April 2023 to March 2024 alone, with more than £2 billion spent on legal aid services. Given the 15-year span of the breach, the total number of impacted individuals is likely much higher.

MOJ has referred concerned members of the public to the National Cyber Security Centre's advice on responding to data breaches and cyber scams.

“The legal sector is built on trust,” said Atkinson. “When that trust is broken, it damages the entire justice system. The LAA must act decisively and transparently — and the government must ensure this never happens again.”

The Legal Aid Agency has promised further updates in the coming days.