LAA says data breach goes as far back as 2007

The cyber attack on the Legal Aid Agency could have been bigger than first thought with the Ministry of Justice (MoJ) now admitting it thinks data as far back as 2007 could have been compromised. 

The attack occurred on 23rd April 2025 and was first reported in early May this year. A subsequent update later in the month indicated the extent of the breach had been greater than first anticipated with as many as 2.1m personal record compromised, including contact details, addresses, national insurance number, employment status and financial data. At the time the MoJ urged anyone who applied for legal aid since 2010 to update any passwords that could have been exposed, and be alert to unknown messages and phone calls.

On Friday 16th May the Legal Aid portal was taken offline and in the day following the LAA says it ‘took immediate action to bolster the security of the system, and informed all legal aid providers that some of their details, including financial information, may have been compromised.’

Now the MoJ says data as far back as 2007 has been accessed by criminals. A statement published today (Thursday 31st July) said

“We believe the group accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service between 2007 and 16 May 2025 when the systems were taken offline.”

The LAA says it has worked closely with the National Crime Agency and National Cyber Security Centre as well as informing the Information Commissioner to establish the extent of the breach.

This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments. In some instances, information about the partners of legal aid applicants may be included in the compromised data.

“We would urge all members of the public who have applied for legal aid in this time period to take steps to safeguard themselves. We would recommend you are alert for any suspicious activity such as unknown messages or phone calls and to be extra vigilant to update any potentially exposed passwords. If you are in doubt about anyone you are communicating with online or over the phone you should verify their identity independently before providing any information to them.”

“An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison.”

Earlier this week the LAA said a brand new portal, currently under construction, could go live in September and has written to Legal Aid firms advising of the information it needs to set up accounts. 

Information and guidance for how to protect clients from the impact of a data breach can be found on the National Cyber Security Centre (NCSC) website.