LAA confirms hackers accessed its systems in December 2024, months before the April 2025 discovery
Hackers accessed the Legal Aid Agency’s (LAA) digital systems four months before the organisation became aware of a major cyber attack, newly published documents reveal.
The LAA, which administers England and Wales’ multi-billion-pound legal aid scheme, confirmed in its latest annual report that the systems breach began in December 2024, long before it was detected in April 2025. The attack has caused months of disruption for law firms and practitioners who rely on the agency’s digital services to log work, submit applications, and receive payments.
The agency announced on 19 May 2025 that it had become aware of a cyber incident on Wednesday 23 April, but internal investigations have since shown that data had been compromised far earlier. The report stated:
“The cyber attack detected in April 2025 was reported to the Information Commissioner’s Office (ICO) and our investigation into the attack has shown that systems were breached from December 2024 with data being exfiltrated from January 2025.”
Embed from Getty Images
The revelation raises new questions about how long the attackers were able to access confidential data before detection and what information may have been stolen. The Ministry of Justice (MoJ), which oversees the agency, said it was working urgently to restore systems and minimise further impact.
A Ministry spokesperson told the Law Society Gazette: “We understand the challenges this situation presents for legal aid providers. We are working as fast as possible to restore our online systems and have put in place contingencies to allow legal aid work to continue safely with confidence.”
The MoJ said that interim measures had been implemented to keep essential legal aid services running. Interim payments have been introduced for civil cases, payments for criminal cases have resumed, and urgent civil applications are being fast-tracked and backdated where necessary.
The cyber attack has been one of the most disruptive incidents in the LAA’s history, with many solicitors unable to access critical case management systems. The attack forced the agency to take its online systems offline for several weeks.
During the Legal Aid Practitioners Group annual conference earlier this week, practitioners pressed senior officials for clarity on when full digital services would resume.
Hitesh Patel, the LAA’s deputy chief executive, told attendees that while crime systems are now back online, civil systems such as the Client and Cost Management System (CCMS) will remain offline until mid-November 2025. Patel said the agency was deliberately withholding details of the technical recovery process to prevent further security risks.
“We are not communicating everything being done to restore the system because these are the things we do not want to communicate to the outside world, to the cyber attackers,” Patel said.
The prolonged outage has prompted growing frustration among legal aid providers, who depend on timely access to the systems to process cases and receive payment. Several firms have warned of financial strain caused by delayed disbursements, while representative bodies have called for compensation.
The House of Commons Public Accounts Committee is set to question senior MoJ and LAA officials today about the handling of the attack and the recovery process. The committee is expected to examine why the breach went undetected for several months and whether sufficient cybersecurity measures were in place.
Earlier this month, legal aid lawyers expressed concern that the scale of the data breach was “larger than first thought”, with fears that sensitive client information may have been compromised. The ICO investigation is ongoing, and the LAA has pledged full cooperation with regulators and law enforcement authorities.
The attack, which has exposed the vulnerability of public-sector legal systems, has also renewed calls for stronger cybersecurity investment across justice agencies. Industry experts have said that the incident should serve as a warning about the growing sophistication of cyber threats targeting government infrastructure.
As of late October, the LAA continues to operate with reduced digital capacity. The agency has not confirmed how much data was accessed or whether any ransom demand was made, citing the sensitivity of ongoing inquiries.