The UK’s Legal Aid Agency (LAA), a body under the Ministry of Justice responsible for administering legal aid, has suffered a significant cyberattack that resulted in the exposure of sensitive personal data.
Authorities first detected the breach on April 23, and subsequent investigations revealed the extent of the intrusion to be greater than initially thought. The incident has compromised information belonging to individuals who submitted legal aid applications through the agency’s online systems between 2010 and 2025.
In an official statement, the government acknowledged the severity of the data exposure, emphasizing that a “substantial amount of personal information” had been affected.
According to the Ministry of Justice, the compromised data may include a wide range of personally identifiable information. This potentially covers applicants’ contact details, home addresses, dates of birth, and national identification numbers. In some cases, even sensitive records such as employment status and criminal history may have been accessed.
Additionally, financial details related to legal aid applications were also exposed. This includes information on contribution amounts, outstanding debts, and previous payments made through the digital legal aid platform.
Authorities have not yet confirmed the total number of individuals affected but have indicated that the breach spans applications submitted over a 15-year period. An investigation is ongoing to determine the full scope and impact of the attack.
Alternative reports suggest that the threat actors behind the cyberattack are claiming responsibility for accessing approximately 2.1 million records. However, this figure has not been independently verified by government officials or investigators.
The Legal Aid Agency and cybersecurity authorities continue to assess the full scope of the breach, while efforts to confirm the legitimacy and accuracy of these claims are ongoing.
Jane Harbottle, Chief Executive of the Legal Aid Agency, acknowledged the severity of the breach, stating the organization has been “working around the clock” to respond to the incident. She confirmed that the agency is actively collaborating with the National Cyber Security Centre (NCSC) to strengthen its cybersecurity infrastructure.
As a precautionary measure, the agency has taken its online services offline to prevent further risk and to support ongoing investigations.
“I understand this news will be shocking and upsetting for people, and I am extremely sorry this has happened,” Harbottle said. “We have put in place the necessary contingency plans to ensure those most in need of legal support and advice can continue to access the help they need during this time.”
In the aftermath of the breach, the Legal Aid Agency is urging anyone who has applied for legal aid to take proactive steps to protect themselves. Recommended actions include monitoring for unusual activity such as unexpected messages, emails, or phone calls and changing any passwords that may have been compromised.
“If you are in doubt about anyone you are communicating with online or over the phone, you should verify their identity independently before providing any information,” the agency advised in its official communication.
Cybersecurity experts have warned that attackers often use stolen personal information, such as names and email addresses, in phishing schemes that attempt to trick individuals into sharing more sensitive data or downloading malicious files. Such tactics are common following large-scale data breaches.
Jake Moore, Global Cybersecurity Advisor at ESET, emphasized the serious implications of the attack: “This is yet another example of how cyberattacks can have real-world consequences. When criminal records and other highly sensitive personal data are exposed, it’s not just an IT issue it’s a breach of trust, privacy, and even personal safety.”
He added, “Many of the individuals impacted may already be in vulnerable situations, and now they face the added burden of uncertainty around how their data could be misused.”
