Following a recent wave of cyber-attacks in the retail sector, with companies such as M&S, Co-op and Harrods being affected, The Legal Aid Agency has now been targeted.
The UK’s Legal Aid Agency has confirmed that a ‘significant amount of personal data’ relating to legal aid applicants has been accessed and downloaded by hackers in a cyber incident with contact details, dates of birth, national ID numbers, criminal history and financial data all at risk.
As an executive agency of the Ministry of Justice, the Legal Aid Agency provides eligibility-based government funding for legal services. The compromised digital services are used by Legal Aid providers (e.g. law firms) to log their work to receive payment. The unnamed criminal group claim to have accessed 2.1 million pieces of this highly sensitive data.
In a statement on 19 May 2025, the Ministry of Justice confirmed that while the Legal Aid Agency first became aware of the cyber-attack last month, on Friday 16 May it had discovered that the incident was more extensive than originally thought, with the hackers behind it having accessed a large amount of data on applicants as far back as 2010.
Following the incident, the Legal Aid Agency has suspended its digital services and urged those who have applied for legal aid in the last 15 years to safeguard themselves and remain extra vigilant for any suspicious activity.
Why is this so concerning?
Legal aid is regularly accessed by the most vulnerable in society, with government funding supporting those subjected to domestic abuse, at risk of losing their home or accused of a crime. The nature of the application process and eligibility criteria necessitates the submission of substantial case-related and financial information by the applicant to the Legal Aid Agency. A large proportion of this data will be special category data which needs more protection because it is sensitive.
The UK GDPR defines special category data as personal data revealing amongst other things racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health and sexual orientation, a combination of which could be contained in a legal aid application. The Legal Aid Agency lawfully processes this highly sensitive data under Article 9(g) of the UKDPR for reasons of substantial public interest.
The Information Commissioner’s Office (ICO), the UK’s independent authority set up to uphold information rights, confirms that those processing special category data need to consider how the risks associated with special category data affect other obligations – in particular, security measures to safeguard the data. Safeguarding will include ensuring that technical measures are in place to protect data and could include anonymising data such that it is in a form which no longer identifies applicants.
The scale of the data potentially compromised does pose the question: why was there sensitive and special category data from up to 15 years ago still stored on the Legal Aid Agency’s servers? There are still many unknowns including whether appropriate measures had been put in place to safely store, take offline or anonymise certain types of data to mitigate risk.
Looking forward
The Legal Aid Agency’s CEO, Jane Harbottle, has apologised for the attack and confirmed they have been working closely with the National Crime Agency and National Cyber Security Centre to bolster the security of their systems to safely continue their vital legal work. Further updates are expected as investigations continue.
The incident highlights the ongoing challenges in data protection in a landscape of high-profile cyber-attacks. Recent attacks such as the cyber incident impacting M&S confirm that breaches are not sector specific and provide an unwelcome reminder that organisations should focus on proactive measures like maintaining up-to-date security systems and having a well-defined incident response plan to contain and mitigate damage.
How can we help?
If you believe your business may have fallen victim to a cyber incident, our Commercial Disputes team is here to help.
