The UK’s Legal Aid Agency has fallen victim to a cyber attack, with the organization confirming a “significant amount of personal data” has been exposed.
In a statement confirming the incident, the government revealed it first became aware of the incident on April 23rd. A subsequent investigation showed the attack was “more extensive than originally understood”.
The Legal Aid Agency, which is sponsored by the Ministry of Justice (MoJ), is charged with administering legal aid funding.
According to the government, data exposed in the incident belongs to individuals who applied for legal aid through the agency’s digital service between 2010 and 2025.
This may have included contact details and addresses of applicants, according to the MoJ, as well as dates of birth, national ID numbers, criminal history, and employment status.
Similarly, financial data such as contribution amounts, debts, and payments, was also exposed.
According to alternative reports, the hackers behind the breach claim they accessed 2.1m pieces of data. This is yet to be verified.
Jane Harbottle, CEO of the Legal Aid Agency, said the organization has been “working around the clock” to tackle the incident and has been working with the National Cyber Security Centre (NCSC) to “bolster the security of our systems”.
The agency also took down its online service in response to the attack, Harbottle confirmed.
“I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened,” she said.
“We have put in place the necessary contingency plans to ensure those most in need of legal support and advice can continue to access the help they need during this time.”
Legal Aid Agency breach shows real world consequences
Following the incident, the agency has urged those who have applied for legal aid to “take steps to safeguard themselves”.
This includes remaining vigilant for suspicious activity such as “unknown messages or phone calls” and to update any potentially exposed passwords”.
“If you are in doubt about anyone you are communicating with online or over the phone you should verify their identity independently before providing any information to them,” the agency said.
In the wake of data breaches, threat actors frequently use personal information such as names and email addresses to target potential victims in phishing attacks. It’s a common tactic and one that organizations subjected to cyber attacks typically warn affected users about.
Jake Moore, Global Cybersecurity Advisor at ESET, said the attack on the agency is “yet another example” of the real world impact of cyber attacks.
“When criminal records and other sensitive personal data are exposed, it is not just a matter of IT failure, it’s a breach of trust, privacy, and even safety in this case,” he said.
“Many of the individuals affected may already be in vulnerable situations and could now face the added stress of not knowing where their data will end up or how it might be used.”
