Cyber breach targets vulnerable legal aid applicants as the outdated IT system draws fierce criticism
A devastating cyber attack on the Legal Aid Agency (LAA) has compromised potentially millions of records, triggering outrage across the legal profession over the government’s continued reliance on an “antiquated” IT system.
The breach, first discovered on April 23, has exposed highly sensitive information—including criminal records, dates of birth, National Insurance numbers, and payment data—belonging to people who applied for legal aid as far back as 2010, the Ministry of Justice (MoJ) confirmed.
Embed from Getty ImagesThe attack has sent shockwaves through the legal sector, particularly because the LAA’s digital infrastructure had long been criticised for being outdated and vulnerable. Lawyers are warning that victims of domestic abuse, survivors of modern slavery, and those accused of crimes may now face grave risks, including blackmail and identity theft.
Concerns are especially acute for wealthy individuals who may have used a duty solicitor when arrested but were never charged. Their names could now be linked to criminal records through no fault of their own, making them susceptible to extortion.
A group claiming responsibility says it accessed 2.1 million pieces of data, though the MoJ has not verified this figure. The National Crime Agency is leading the investigation and is currently treating the breach as isolated, despite recent attacks on Marks & Spencer, the Co-op, and Harrods.
Richard Atkinson, president of the Law Society of England and Wales, issued a sharp rebuke: “It is extremely concerning that members of the public have had their personal data compromised. The LAA must get a grip on the situation immediately.
“This incident underlines the urgent need for investment in digital infrastructure. The system’s fragility has already delayed key reforms like the means test update, which could help millions more access legal aid. If it is now also proving vulnerable to cyber attacks, further delay is untenable.”
Atkinson added that many legal aid firms, already operating on razor-thin margins, now face additional security concerns they can ill afford. “These are small businesses offering a vital public service. They shouldn’t be forced to deal with government negligence on top of existing court backlogs and cash flow issues.”
The MoJ admitted the scope of the attack was far wider than initially believed. Although it discovered unauthorised access in late April, it wasn’t until six weeks later—last Friday—that officials realised the full extent of the breach.
Critics argue the incident reflects a pattern of neglect. The LAA’s IT system has long failed to keep pace with modern security standards, hampering everything from interim payments to case processing speeds.
Despite repeated warnings, successive governments have underinvested in the agency’s digital capabilities. Legal professionals now say that this breach must serve as a wake-up call, urging the government to prioritise cyber resilience across the justice system.
So far, no details have been released regarding how the attackers breached the system, though investigations are ongoing. The government has not confirmed whether it will offer compensation or protection to those affected, many of whom may be particularly vulnerable individuals.
The LAA handles applications from individuals facing criminal charges, family court cases, or vulnerable situations such as domestic violence and trafficking. The exposure of their personal data presents not just a privacy issue, but a serious threat to public trust in the justice system.
