Five reasons you should be more worried than you probably are about the Legal Aid data breach

The implications of this cyberattack are far more severe than headlines suggest

The cyberattack on the Legal Aid Agency has been upgraded from ‘security incident’ to a widespread attack which has led to the agency taking down it’s online services and investigating with the NCSC. Here are five reasons you should be concerned about the breach

The news of a data breach at the Legal Aid Agency (LAA) has been public knowledge for several weeks. However, it only became clear earlier this week that what the LAA initially described as a mere “security incident” was, in fact, a devastating and widespread cyberattack.

Too slow to respond

The first reason this breach should worry you is the LAA’s sluggish response. Unlike companies such as the Co-op or M&S, the LAA seemingly lacked the necessary tools, expertise, and protocols to detect the attack promptly, let alone contain or mitigate its impact.

Dray Agha, Senior Manager of Security Operations at Huntress, explained:

"From what’s been shared publicly, it sounds like the attackers had significant dwell time before detection. At Huntress, the trending intel we're seeing suggests attackers do not immediately trigger some security alarms because their methods are subtle, such as living off the land, masquerading as legitimate user activity. This underscores the importance of persistent, behaviour-based threat detection, not just perimeter defences and best hopes. "

Despite the intruders’ efforts to disguise their activities, the stark reality is that the LAA remained unaware of the breach long after the window to prevent further damage had closed.

Nature and sensitivity of the stolen data

The second major concern is the nature of the breach itself. At the time of writing, neither the LAA nor the Ministry of Justice (MoJ) has confirmed whether this was a ransomware or extortion attack. However, all signs point toward the latter. Unlike ransomware attacks where data is encrypted, in this case, data was exfiltrated.

The stolen information dates to 2010 and includes highly sensitive details such as names and addresses of domestic violence victims, as well as financial and identity data of anyone who has applied for legal aid in the last 15 years. This data is a treasure trove for malicious actors aiming to exploit individuals at their most vulnerable.

While confirmation is pending, the scale and sensitivity of the data strongly suggest an extortion-based attack. The breach also bears striking similarities to recent attacks on M&S, Co-op, and Harrods, which have been linked to the Scattered Spider group—known for deploying DragonForce ransomware.

What is truly frightening for those affected is what comes next. Matt Cooke, EMEA Cybersecurity Strategist at Proofpoint, warns:

"The risk of leaked personal data being used in social engineering attacks is significant. Criminals may leverage information obtained in the breach to craft highly convincing phishing emails, text messages, or even phone calls. They might impersonate Legal Aid Agency representatives, law firms, or even government officials, attempting to extract further sensitive information or trick individuals into transferring money."

Part of a pattern of attacks against critical infrastructure

Reason number three you should be worried, is that this attack is the latest in a long line of attacks on UK critical infrastructure. During his speech at CyberUK barely a fortnight ago, Richard Horne, CEO of NCSC said that the organisation had recorded more than 200 hacks since September 2024 – twice as many significant incidents in the same period a year ago.

Hostile nation-states and organised cybercrime groups—many with overlapping connections—are relentlessly probing the infrastructure that underpins this country. They are actively searching for vulnerabilities and finding them. That they will return, armed with deeper knowledge and more stolen data, ready to launch more sophisticated attacks is certain.

Impact on a justice system on the edge

The fourth reason for concern is the broader impact on our justice system, which is already balanced on a knife edge. During UK elections, the attention of voters rarely centres on the welfare of criminals, or the struggles faced by legal aid-funded solicitors. This makes justice an easy target for budget cuts. Unfortunately, the damage caused by these cuts is cumulative and often only becomes visible years later—well beyond the electoral cycle.

This steady accumulation of cuts explains why court cases now take years to reach trial and why we are seeing waves of convicted criminals being released earlier than originally intended.

Funding cuts have led to the digital infrastructure of the justice system falling into disrepair, which is probably why it was such an easy target. Speaking to The Guardian earlier this week, Richard Atkinson, President of the Law Society said:

“The fragility of the IT system has prevented vital reforms, including updates to the means test that could help millions more access legal aid, and interim payments for firms whose cash flow is being decimated by the backlogs in the courts, through no fault of their own.

“If it is now also proving vulnerable to cyber-attack, further delay is untenable.

“Legal aid firms are small businesses providing an important public service and are operating on the margins of financial viability. Given that vulnerability, these financial security concerns are the last thing they need.”

The erosion of trust

The final—and perhaps most damaging—reason to be concerned is that this attack is likely to lead to a further erosion of trust in a country where that precious commodity is already in dangerously short supply. Richard Atkinson spelled out the grave consequences of this loss of faith in the justice system last year:

“I don’t want to be overdramatic, but when people lose faith in the criminal justice system the risk is that they seek to find justice in alternative ways — more direct ways.”

Graeme Stewart, Head of Public Sector at Check Point Software, voiced a similar concern, warning that cyberattacks have become so commonplace they barely register in the public consciousness. What makes this especially frustrating is that it is the public who suffer the most.

"This isn’t because people don’t care,” said Stewart. “It’s because they feel powerless. There is a growing sense that these attacks are inevitable, that the systems we trust cannot be protected, and that we have no control. That kind of fatigue is dangerous. It allows cybercrime to become normalised.”

Stewart continued:

"These breaches are not just about data. They are about people. When deeply personal information is exposed, it can be used to steal identities, commit fraud, or intimidate those already in vulnerable positions. And when it happens in the very systems designed to support the public, the impact runs far deeper than inconvenience. It damages trust.

“We need to move beyond a culture of crisis response. Cybersecurity is not only a technical priority. It is a matter of public confidence, personal safety, and fundamental trust in the institutions we all rely on.”

If you are involved in cybersecurity but are struggling with strategy, alert overwhelm or the apparent disconnect between cyber platforms and infrastructure and real-world protection, this webinar, ‘Is your security strategy working for you or against you?’ will be helping viewers cut through the noise. Click here for more details and to register.