Legal Aid Agency data breach bigger than originally thought: affects data as far back as 2007

The Legal Aid Agency data breach we previously wrote about is now suspected to be even worse than originally thought, potentially affecting even more individuals, dating back as far as 2007, including domestic abuse victims, those in family cases, people at risk of losing their homes and those facing criminal prosecution. It is thought that up to 2.1 million personal records have been compromised. This is no doubt very distressing news for anyone affected and can cause a range of negative consequences for them. If you have been affected, you could be entitled to claim compensation.

The breach, which potentially affects hundreds of thousands of individuals, resulted in the LAA having to take down its digital services and has caused numerous issues and contingency measures for legal aid providers. The legal aid providers, who provide the public with a vital service, have been hit hard by this breach through no fault of their own.

What happened during the Legal Aid Agency data breach?

In May 2025, the Ministry of Justice (MoJ) announced that the government’s Legal Aid Agency (LAA) had suffered a data breach in April 2025. They stated they became aware of a cyber-attack on the Legal Aid Agency’s online digital services, but later discovered the breach was much more extensive than they originally thought, and the cyber attackers had accessed a large amount of data relating to legal aid applicants. They originally believed the attackers had downloaded a significant amount of personal data from those who had applied for legal aid through their digital service between 2010 and 16 May 2025. They now believe this could be even bigger than this and include data further back than 2010. 

In August 2025, the LAA and MoJ revealed that they believe the hack was even bigger than they thought. An update to their statement announcing the breach states they believe data as far back as 2007 may have been accessed, as well as data of applicants’ partners. In the statement, they say:

“We have updated the notice to reflect that further investigations have shown that some data going back to 2007 may have been accessed, as well as information linked to the partners of applicants. Previously, we stated the data went back to 2010.”

In response to the attack, in May, the LAA took down their online portal. They said they took ‘immediate action to bolster the security of the system, and informed all legal aid providers that some of their details, including financial information, may have been compromised.’

Taking their services offline has caused many issues and much disruption for practitioners who are having to process a lot of their work manually and can’t access a lot of the vital information and services they need to complete their jobs.

The LAA announced in late July 2025 that it will release a new portal in September called Sign into Legal Aid Services. The Ministry of Justice told the Gazette that they are working to restore core systems and services, including the benefits checker, as a matter of priority, and services will return ‘in phases’. This new service is said to be a secure platform which will allow Legal Aid Providers to log in and access LAA digital services.

The LAA said they have worked closely with the National Crime Agency and National Security Centre, as well as informed the Information Commissioner to the extent of the breach.

What caused the Legal Aid Agency data breach?

The data breach was caused by a targeted cyber-attack where a group of hackers infiltrated the LAA’s systems and viewed and downloaded a significant amount of data. While the attackers were the reason for the attack, Sarah Sackman, the Ministry of Justice minister, has stated that the crimes were made possible by the LAA’s fragile tech systems. She claimed that years of neglect had led to them becoming vulnerable which but this personal data is at risk.

What data was taken in the LAA data breach?

While it was originally believed that only data from their online digital services was accessed, which is where providers who log their work and receive payment from the Government was taken, it was later discovered a significant amount more data was accessed and downloaded by cyber-attackers which included data from legal aid applicants, including vulnerable individuals such as domestic abuse victims. The LAA now believe data as far back as 2007 was accessed.

Those who applied for legal aid services through the LAA’s digital service between 2007 and 16 May 2025 could be affected. The data stolen may have included:

• Contact details
• Addresses
• Dates of birth
• National ID numbers
• Criminal history
• Employment status
• Financial data, e.g. contribution amounts, debts and payments
• Some information about legal aid applicants’ partners may also have been breached

The LAA has urged anyone who applied for legal aid through their online system between 2007 and 16^th May 2025 to stay vigilant and take steps to safeguard themselves. This includes staying alert to any suspicious activity, such as unknown messages or phone calls, and updating any potentially exposed passwords.

While there is no evidence that the data has been published, people still need to be wary. The LAA is responsible for informing individuals whose personal data may have been affected by the breach, so if you have received correspondence from them stating your data may have been involved, you could be entitled to claim compensation.

What to do if you have been affected by the LAA data breach?

If you have received confirmation that your personal data was compromised in the Legal Aid Agency data breach, you could be entitled to claim compensation. The LAA have a legal right to protect personal data it collects and retains from individuals, and clearly, data going back 18 years had been held on out-of-date IT systems that were vulnerable to attack. This is unacceptable.

Under the General Data Protection Regulations UK (GDPR), companies must legally protect data from attacks, and if they do not, they can be fined and are liable to pay compensation to those affected. You have the right to have your personal information kept private and safe. Having your data stolen or exposed can lead to serious consequences such as identity theft, fraud and financial losses. Due to the nature of the data potentially exposed, this could be very concerning for individuals affected and could lead to extreme distress and upset.

Making a civil claim against the LAA can compensate you for any losses or distress you have suffered. If you have been affected, you should consider launching a civil claim with the help of an experienced data breach solicitor.

HNK Solicitors can help with your Legal Aid Agency data breach claim

If you are considering making a data breach claim against the Legal Aid Agency, HNK Solicitors can help. We have a team of skilled data protection solicitors who have many years of experience helping clients to obtain compensation against organisations that breach their data successfully. They have an in-depth understanding of the relevant laws and legislation surrounding data protection and can give you the best possible chance of a successful claim.

We offer free, no-obligation consultations to help you determine the validity of your claim, and we can also take on claims on a no-win, no-fee basis, so you don’t have to pay a penny upfront to start your claim. If you want more information on making a claim, or want to start a claim against the Legal Aid Agency, get in touch with our team today on 0151 668 0814 or enquiries@hnksolicitors.com. Alternatively, fill in one of the online claim forms on our website and we’ll be in touch for more information.