A major cyberattack has hit the UK’s Legal Aid Agency (LAA), and sensitive data dating back to 2010 has been stolen. The Ministry of Justice (MoJ) confirmed the breach on April 23, 2025. Personal and financial information, including criminal records, was stolen.
The breach and its impact
The MoJ announced on April 23, 2025, that unauthorized access was detected in the LAA’s online systems. The data stolen includes personal details of legal aid applicants such as contact information, dates of birth, national ID numbers, criminal history, employment details, and financial records. Barristers, solicitors, and organizations, including non-profits associated with the Legal Aid Agency, may also have been affected.
The exact number of records accessed is unknown, but sources close to the case say up to 2.1 million records were hit. The MoJ has not verified this figure but says a “significant amount” of sensitive data was stolen. Initial suspicion is a criminal gang rather than a state-sponsored attack.
Jane Harbottle, chief executive of the Legal Aid Agency, apologized and warned that the incident could cause significant difficulties for many people. She said the agency has been working non-stop alongside the National Crime Agency and the National Cyber Security Centre to resolve the problem.
Broader impact and recent attacks
This is part of a wider trend of recent attacks on major UK institutions. Harrods, Marks & Spencer, and Co-op have all been hit recently. Experts say these attacks are part of a growing trend of cybercrime across all sectors.
Wayne Cleghorn, data protection and cybersecurity expert, says organizations of all sizes and sectors are under attack. He advises reinforcing basic data protection practices, boosting cybersecurity, and getting suppliers and partners to be more vigilant. According to Cleghorn, the impact of stolen sensitive data can go beyond the initial disruption and be long-term.
What to do for individuals and organizations
The LAA has taken its online digital services offline as a precaution. Legal aid providers have been notified of the potential breach of their data, and contingency plans are in place to ensure legal support continues.
The Ministry of Justice advises anyone who has applied for legal aid since 2010 to act immediately by treating unexpected calls or texts with caution, updating passwords, and confirming a sender’s identity before sharing sensitive details.
The Legal Aid Agency is a key part of the UK’s justice system, funding over 2,000 legal aid providers. In the 2023-2024 financial year, the agency processed over £2.3 billion in payments. This affects not only individuals but also the public’s trust in institutions to keep personal information safe.
As the investigation continues, the MoJ will keep the public updated. For step-by-step guidance on dealing with a potential data breach, visit the National Cyber Security Centre’s website.
