In late April this year, the UK's Legal Aid Agency discovered a cyber attack on its online digital services - used by legal aid providers to log work and receive payment from the Government. As a result, the Legal Aid Agency has been forced to take its digital services offline.
On 19 May 2025, Sarah Sackman, the Minister of State at the Ministry of Justice confirmed that the attackers had accessed a large amount of personal information belonging to legal aid applicants. The compromised information includes contact details, home addresses, dates of birth, national ID numbers, criminal records, employment status, and financial data—some of which dates back as far as 2010.
The Ministry of Justice is currently investigating the breach with the National Crime Agency and the National Cyber Security Centre. As of now, the breach has been attributed to longstanding vulnerabilities in the agency’s outdated IT infrastructure. This harks back to the Law Society's criticism in 2023, of the Government's failure to modernize the Legal Aid Agency digital system, and its call to invest in cybersecurity upgrades to the system.
For individuals, exposure of personal data can lead to identity theft, financial fraud, and targeted phishing attacks. Victims may find themselves dealing with unauthorised credit applications, fraudulent benefit claims, or reputational damage. In some cases, particularly for vulnerable individuals involved in legal disputes, the breach of confidentiality could potentially pose physical or emotional risks which could give rise to legal claims.
This breach, along with a number of other recent and high-profile cyber-attacks, serves as a stark reminder that cybersecurity should be a core operational priority for any organisation, requiring a range of internal stakeholders involved in the risk management and response framework. Organisations handling particularly sensitive personal information must adopt a proactive approach to adopting robust cyber defence measures, which entails not only upgrading legacy systems, but also embedding cybersecurity into the organisation's culture through regular training, clear protocols, and executive-level accountability.
Moving forward, companies should implement a comprehensive cybersecurity framework that includes real-time threat detection, incident response planning, and regular penetration testing. Investing in zero-trust architecture, multi-factor authentication, and encryption of sensitive data can significantly reduce exposure to threats. Moreover, collaboration with cybersecurity experts and legal advisors ensures that both technical and regulatory aspects are addressed, helping organizations stay resilient in the face of evolving cyber threats.
As investigations continue, the Ministry of Justice has urged anyone who applied for legal aid since 2010 to remain vigilant, update passwords that may have been exposed, and be on the alert for suspicious activity.
In light of the growing sophistication of cybercrime, it is more important than ever for organizations to implement robust cybersecurity measures to mitigate against risk, both from a technical and organisational perspective.
Combining the legal excellence of Trowers' cyber team and award-winning cyber experts, CyberQ, CyberSecure 360 offers legal and technical cybersecurity advice tailored to clients' requirements – from assessing compliance with cyber policies, undertaking risk assessments through penetration testing and incident response planning to providing training and playing out war-room scenarios in real time.
For more information or to discuss your cyber and fraud prevention needs please contact our specialist cyber team.
