MoJ admits ‘significant’ cyberattack on Legal Aid Agency

Criminal record and financial data exfiltrated by hackers

Officials at the Ministry of Justice have confirmed a ‘significant’ cyberattack on the Legal Aid Agency. Data going back to 2010 is thought to have been exfiltrated, and the consequences for Legal Aid and the wider justice system could be serious.

MoJ officials have acknowledged that the personal data of hundreds of thousands of legal aid applicants was stolen from the Legal Aid Agency by hackers. The data includes names and addresses along with national identity details and financial data.

The Ministry of Justice said that it has been aware of the incident since April 23rd but realised at the end of last week that the hack was far more extensive than it initially understood. The stolen data is thought to go back to 2010.

The Legal Aid Agency (LAA) chief executive Jane Harbottle has apologised for the cyberattack, saying that she understood how the news would be considered “shocking and upsetting. “

The group behind the attack (who remain unidentified at present) claim to have accessed over 2.1 million pieces of data but that claim remains unverified. Nonetheless, the LAA and MoJ have both acknowledged the scale of this breach.

Officials have admitted that hackers may have accessed contact details and addresses of legal aid applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.

The LAA is responsible for administering legal aid funding, which is worth more than £2 billion per annum. There are almost 2000 providers making up the Legal Aid ecosystem, including solicitors and barrister firms and not-for-profit bodies.

Compromise of this data will have serious implications for these organisations and their current and historical clients. Legal Aid is vital for the functioning of the justice system which is already under immense strain after years of spending cuts. Any disruption to the day-to-day running of the LAA will have far reaching consequences for the justice system – a fact of which the attackers were all too probably aware.

The MoJ has urged anyone who thinks that may be affected by the breach to be on their guard for suspicious phone calls and to update passwords if they think they have been exposed. It continues to work with the National Crime Agency and National Cyber security Centre to investigate the attack.

In 2023, the Law Society called on the government to invest in the LAA digital system, saying the system was “too fragile to cope”. As recently as March 2024, the Law Society pointed to the “antiquated IT systems” of the LAA as “evidence of the long-term neglect of our justice system”.

Max Vetter is VP of Cyber at Immersive. Vetter spent seven years with the Metropolitan Police Service working in the SCD6 money laundering unit in Scotland Yard, and he also taught at the GCHQ summer school. He commented:

“With 360,000 applications for legal aid processed in 2023–24, the breach could be extensive. The legal sector is built on trust, and clients expect that the personal information they share will remain safe. Therefore, when data is stolen, it is hugely damaging. The sector is attractive to cybercriminals because it holds large volumes of highly sensitive and confidential client data.

“The data will most likely be leveraged by cybercriminals to extort money from Legal Aid, as well as for identity theft and phishing campaigns. This data is so sensitive it may also be used to directly extort the persons effected. Anyone who has used Legal Aid in the past should remain vigilant for any unsolicited communications."