UK Legal Aid Agency reports security incident
Learn More
The Legal Aid Agency (LAA), a UK government body responsible for administering billions of pounds in legal funding, has been hit by a significant cyber security incident. The LAA oversees approximately £2.3 billion in legal aid funding per their 2023/24 financial reporting.
According to information published on May 6, 2025, the LAA has identified a security incident that potentially compromised sensitive financial information. In a letter sent to law firms last week, the agency warned that "it is possible that financial information relating to legal aid providers may have been accessed by a third party" though they could not confirm "what, if any, information was accessed".
The potential breach could affect nearly 2,000 providers contracted to deliver legal aid services in England and Wales, including:
- Solicitors' firms
- Barristers
- Not-for-profit organizations
- Telephone operators
No details are disclosed about the nature of the attack, any exposed data or number of affected individuals. The LAA has stated that the incident "is being investigated in accordance with our data security processes, and action has been taken to mitigate the incident."
The UK Ministry of Justice (MoJ) has confirmed they are working with the National Crime Agency and National Cyber Security Centre to investigate the breach.
Update - as of 19th of May 2025, the UK's Ministry of Justice (MoJ) confirmed a major data breach affecting the Legal Aid Agency, with hackers successfully accessing and downloading "a large amount of information" from individuals who applied for legal aid in England and Wales. According to the MoJ statement anyone who used the Legal Aid Agency's online platform since 2010 may be affected by this breach, potentially exposing some of the most vulnerable members of British society to significant privacy risks.
The hackers are claiming to possess data on more than 2 million people. The exposed data includes:
- Contact details and addresses of applicants
- Dates of birth
- National ID numbers
- Criminal history records
- Employment status information
- Financial data (including contribution amounts, debts, and payments)
The Legal Aid Agency has completely shut down its online service as a result of the breach. The breach has drawn concern from domestic abuse advocates due to the potentially catastrophic implications for survivors' safety. Any repeatedly used addresses could indicate the location of safe houses for women and children's refuges, which are often highly confidential to ensure the safety of residents.
