A Legal Aid data breach has exposed a “significant amount” of sensitive personal information belonging to people who applied for legal assistance.
Legal Aid provides legal advice, family mediation, and representation to qualifying individuals, including victims of domestic violence, early and forced marriages, and various forms of discrimination.
“We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010,” it stated.
First detected on April 23, 2025, the Ministry of Justice says it only recently learned that the data breach was “more extensive than originally understood.”
Legal Aid data breach leaks millions of sensitive records
According to the Ministry of Justice, the data breach leaked the victims’ addresses, dates of birth, national ID numbers, criminal history, employment, and financial history, including contribution amounts, debts, and payments.
When leaked to the public, that information could irreparably damage individuals who were arrested or interrogated without being charged with any crime. Individuals who also requested a public defender and later changed to private representation were also affected. The data breach put these individuals at risk of cyber extortion and blackmail.
“We may expect a massive but targeted blackmailing campaigns against the victims, as well as their employers or relatives,” said Dr. Ilia Kolochenko, CEO at ImmuniWeb. “For example, if a person has (or had) an unspent conviction and currently works in a sensitive area of economy, such as wealth management or financial audit, his or her employer may wish to pay a ransom to avoid bad publicity for the firm – even if all underlying risks were duly addressed as provided by law, industry standards and applicable internal policies.”
While the ministry has yet to release the actual number of individuals impacted, threat actors claim the data breach exposed over 2 million records.
“The leakage of sensitive data from Legal Aid appears to be significant,” said Max Vetter, VP of Cyber at Immersive. “The attackers claim to have accessed 2.1 million pieces of data, and with 360,000 applications for legal aid processed in 2023–24, the breach could be extensive.”
Meanwhile, the Ministry of Justice advises Legal Aid data breach victims to remain vigilant for potential phishing by verifying the identities of the individuals they communicate with online or over the phone, before providing any sensitive personal information.
Legal Aid is also working with the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) to investigate the data breach. The Ministry of Justice has also confirmed that government systems were not compromised during the Legal Aid breach.
However, Legal Aid has taken its systems offline, including client portals for submitting work and requesting payments. Legal Aid contractors can contact the MoJ and request payments via dedicated phone numbers and email addresses.
Meanwhile, lawyers have criticized Legal Aid’s cybersecurity practices, with the Law Society of England and Wales urging the Ministry of Justice’s body to “get a grip of the situation immediately.”
The independent professional body also lamented the scarce information regarding the data breach, suggesting that Legal Aid was not forthcoming.
Legal Aid’s systems neglected for years
In 2023, the Law Society had described Legal Aid’s systems as “too fragile to cope” and requested additional investment. In 2024, it also described the systems as “antiquated” and highlighted years of neglect.
Admitting that the “vulnerabilities of the Legal Aid Agency digital systems” were known for years, the MoJ attributed the data breach to the “neglect and mismanagement” of the previous administration. Subsequently, the agency is working to build an upgraded system, which will be available in the coming weeks.
“The government’s digital infrastructure has become an irresistible target because legacy systems often go untested for years,” said Andrew Obadiaru, CISO, Cobalt. “Breaches like this highlight the importance of continuous offensive testing—not just once a year, but as an integrated part of system upkeep. This also emphasizes the need for a comprehensive data minimization and retention program.”
Meanwhile, the agency has also apologized for failing to prevent the data breach and says it understands the impact it would have on the victims.
“I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened,” Jane Harbottle, a Legal Aid spokesperson, said.
Meanwhile, the threat actor’s identity remains unknown or undisclosed. However, the data breach does seem to bear the hallmarks of a state-sponsored activity.
