The UK’s Legal Aid Agency (LAA) has confirmed it suffered a serious data breach following a cyberattack that took place in April, exposing sensitive personal details of legal aid applicants going back more than a decade.
The breach was disclosed on Monday by both the LAA and the Ministry of Justice, revealing that attackers had gained unauthorized access to the agency’s systems. The agency—responsible for providing legal aid services across England and Wales—first identified the intrusion on April 23. However, a deeper investigation with help from the National Crime Agency and the National Cyber Security Centre revealed the attack had been far more extensive than initially believed.
By May 16, it became clear that the attackers had accessed and stolen a large cache of data. The breach affects individuals who submitted legal aid applications online since 2010, and the stolen data includes deeply personal information—names, contact details, home addresses, dates of birth, national insurance numbers, criminal records, employment details, and even financial information such as payment history and debts.
Reports in the UK suggest that up to 2.1 million records may have been compromised, though that number has not been officially verified by the government. The identities of the hackers involved have not been publicly disclosed.
LAA CEO Jane Harbottle said the agency is taking “radical action” in response. The affected online system has been shut down as a precautionary measure while the agency works to boost cybersecurity protections and implement contingency measures.
Despite the disruption, Harbottle emphasized that support remains available: “We’ve put in place the necessary plans to ensure people who need legal aid can still access vital services during this time.”
