Millions at risk after attackers steal UK legal aid data dating back 15 years

London: A “significant amount of personal data” belonging to legal aid applicants dating back to 2010 in the UK was stolen by cybercriminals, the Ministry of Justice (MoJ) confirmed Monday.

The announcement follows the initial news from May 6 of an attack on the UK’s Legal Aid Agency (LAA), an MoJ-sponsored organization that allows legal aid workers to record their hours and bill the the government accordingly. The aid is means tested, granted to people on low incomes and with limited savings.

The attack itself was detected on April 23 but investigators found on May 16 that the damage was “more extensive than originally understood and that the group behind it had accessed a large amount of information relating to legal aid applicants.”

Affected data goes back to 2010 and could include applicants’ contact details, home addresses, dates of birth, national ID numbers, criminal histories, employment statuses, and financial data such as contribution amounts, debts, and payments.

As ever with data spillages, each individual is likely to be affected differently, with some having more personal data stolen than others.

The MoJ didn’t specify the number of people believed to be affected, but publicly available data [PDF] shows the number of legal aid claims made in the last reporting year – April 2023 to March 2024 – stood at 388,888, of which 96 percent were granted. This also represented a 7 percent increase in applications compared to the previous reporting year.

It should also be noted that each application may involve more than one individual.

The PA news agency reported that 2.1 million data points were stolen, although the MoJ has not officially corroborated this.

Other data published by the MoJ shows that over £2 billion ($2.7 billion) was spent on legal aid between April 2023 and March 2024.

All members of the public who applied for legal aid between 2010 and 2025 were advised to be extra vigilant about suspicious activity such as unknown calls and messages, and advised to change their passwords.

Max Vetter, VP of cyber at Immersive, who also spent years at the Metropolitan Police and taught at the GCHQ summer school, said that due to its sensitivity, the data could be used to extort not only the LAA but also the affected individuals.

“The legal sector is built on trust, and clients expect that the personal information they share will remain safe,” he added. “Therefore, when data is stolen, it is hugely damaging. The sector is attractive to cybercriminals because it holds large volumes of highly sensitive and confidential client data.

“For now, Legal is working quickly to alert consumers who are affected. Clear and actionable communications are essential after a breach, and customers will want strong assurances about the impact on their personal data and the steps they can take to protect themselves from any potential fallout.”

The MoJ also directed the public to the National Cyber Security Centre’s guidance on protecting against scams following a data spillage.

“I understand this news will be shocking and upsetting for people, and I am extremely sorry this has happened,” said Jane Harbottle, CEO at the LAA.

“Since the discovery of the attack, my team has been working around the clock with the National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency.

“However, it has become clear that to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down.

“We have put in place the necessary contingency plans to ensure those most in need of legal support and advice can continue to access the help they need during this time.

“I am incredibly grateful to legal aid providers for their patience and cooperation at a deeply challenging time. “We will provide further updates shortly.”