Moj says large amounts of personal data accessed in a legal aid agency data breach | Legal aid

The personal data of hundreds of thousands of legal aid applicants in England and Wales dates back to 2010, including criminal records and financial details, and has been accessed and downloaded in a "major" cyber attack.

Officials acknowledge that the data may include the applicant's contact information and address, his/her date of birth, country ID number, criminal history, employment status and financial data such as contribution amount, debt and payment.

Hackers claim they have accessed 2.1 million data, a number that has not been verified so far.

The violation will cause alarms from hundreds of thousands of applicants and legal aid lawyers.

One of the judiciary violations of the previous administration’s “neglect and mismanagement”, saying that vulnerability in the Legal Aid Agency (LAA) system has been around for years.

“This data breach is possible due to the long-term neglect and mismanagement of the judicial system in the last administration.

"They know the vulnerability of the digital system of legal aid agencies, but did not take action," the source said.

Officials were aware of the cyber attack on the LAA’s online digital service on April 23, but realized Friday it was wider than initially thought.

LAA's online digital service is used by legal aid providers to record their work and be paid by the government, and the service is offline.

"We believe the group has accessed and downloaded a large amount of personal data from people applying for legal aid through our digital services since 2010," Moj said.

“These data may include contact information and the applicant’s address, date of birth, country ID number, criminal history, employment status and financial data such as contribution amount, debt and payment.

“We urge all members of the public who have applied for legal aid during this period to take steps to protect themselves. We recommend that you remain alert to any suspicious activity (such as unknown messages or phone calls) and be extra vigilant to update any potential exposure passwords.

“If you have questions about anyone communicating online or via telephone, you should independently verify their identity before providing them with any information.”


MOJ has been working with the National Crime Agency and the National Cybersecurity Center and notified the Information Commissioner.

LAA CEO Jane Harbottle apologized for the violation: “I know this news will shock and frustrate people and I feel very sorry.

“Since the attack was discovered, my team has been working around the clock at the National Cybersecurity Center to enhance the security of the system so that we can safely continue the important work of the agency.

"But it's clear that to maintain the service and its users we need to take radical action. That's why we decided to lower the online service," she said.

Hubert said there should be plans for contingency plans to ensure that those who need legal support are advised to continue to visit it.

In 2023, the Bar Association called on the government to invest in the LAA digital system, saying the system was "too fragile to cope". Just in March 2024, the Bar Association pointed out that LAA's "outdated IT system" is "evidence of our long-term neglect of the judicial system."