Legal Aid Agency data breach

Contingency measures extended

We pushed for an extension to contingency measures alongside the Legal Aid Practitioner’s Group (LAPG).

We welcomed the LAA’s decision to extend the Average Weekly Payment (AWP) contingency measure.

Previously the LAA had indicated that the scheme would end within two weeks of the Client and Cost Management System (CCMS) being restored.

We argued that, even if the restored CCMS functions properly, it is likely to be several weeks before providers could have submitted and received payment for outstanding bills.

Further cashflow problems would also have occurred if AWPs ceased before the outstanding bills were paid.

From 1 December 2025, bill functionality was restored on CCMS, which is now online again for all civil legal aid users.

Access to CCMS

We urged the LAA to extend contingency payments until firms had access to CCMS.

On 24 November 2025, providers with both a crime and civil contract were given access to CCMS.

Functionality was limited to non-billing work until system performance had been assessed. Access to billing user roles will be restricted.

The LAA reinstated full functionality and associated billing user roles for CCMS on 26 November 2025.

From 1 December 2025, providers with civil-only contracts were brought onto the system, with full CCMS functionality.

Civil billing system restoration

We asked the LAA to get the civil billing system live.

We also urged the LAA to reconsider previous proposals for stopping contingency payments and recouping sums paid.

Our priorities include:

• pressing for a clear and published timeline for the full restoration of the LAA’s digital system, as part of the 10 steps being pursued
• securing assurances that the LAA will not recoup payments if it disagrees with a firm’s use of delegated powers
• calling for the urgent implementation of a contingency billing process for civil cases
• seeking a fair and realistic recoupment timetable for contingency payments, considering the substantial backlog of bills that will remain after the system is restored
• continuing to push for appropriate compensation for providers to reflect the financial impact of the outage

Our calls to get the justice system back online

We're lobbying the UK government, the judiciary and the LAA to take 10 essential steps.

1. Get the LAA’s IT operational again

The LAA must set out a timetable for restoring online services.

2. Streamline contingency arrangements and put trust in legal aid providers

The LAA should delegate grants of legal aid for:

• criminal cases in the magistrates’ courts

• extensions and amendments to grants of legal aid in civil cases

• initial grants in non-means, no merit tested cases (for example, care proceedings)

• judicial review

A provider’s decision under delegated powers should be final.

The only exceptions should be if the grant of legal aid exceeds their legal authority or is made in bad faith.

3. Ensure vital representation in the courts and protect vulnerable individuals

Following guidance from the senior presiding judge, the courts should actively monitor the data breach’s impact on the effectiveness of court hearings.

4. Provide full transparency on what data was accessed and how it was secured

Why the LAA held data going back to 2010 and whether it complied with General Data Protection Regulation (GDPR) is unclear.

We need to know what, if any, third-party data was accessed.

This could include the personal details of opponents, children, victims of crime or expert witnesses.

5. Provide clearer support to vulnerable people affected by the breach

The LAA must do more to inform survivors of domestic abuse and other at-risk groups that their data was breached.

This means going beyond the minimum legal requirement, which is to issue a public statement.

6. Reimburse and compensate legal aid providers for disruption caused

The LAA must provide fair compensation to firms for losses suffered due to the shutdown.

7. Consider future reform of key systems

The cyber-attack and its aftermath showed the LAA’s systems to be complex, opaque and bureaucratic.

Any new system must be simpler. It should place greater trust in the professionals who use it and meet the needs of all clients.

8. Provide funding for urgent IT upgrades

We sounded the alarm for years about the LAA’s antiquated and unreliable IT systems.

Theses have already hindered reforms to the legal aid means test.

The UK government must now commit new funding to upgrade these vital systems.

9. Commission a full review

The MoJ must commission a review of the LAA’s response to the data breach.

The lessons and recommendations should inform contingency planning across government to prepare for future breaches.

10. Ensure a sustainable future for legal aid providers

We have warned for years that the situation for legal aid providers is unsustainable.

The shutdown further exposed their lack of economic resilience.

For some, the loss of a single month’s payments meant they couldn’t cover salaries.

This is a clear warning to the UK government – legal aid needs a sustainable future.

LAA confirms data breach goes back to 2007

In July 2025, the LAA told us that compromised data includes client information from 2007 to 16 May 2025 (previously reported as 2010 onwards).

In some cases, information about partners of legal aid applicants is also included.

There is no evidence that the data has been published.

We’re concerned that data going back 18 years was held on out-of-date IT systems that were clearly vulnerable to attack.

We’ve long raised concerns that the LAA’s IT systems are not fit for purpose and continue to press for long‑overdue investment to modernise them.

LAA announces portal replacement

The LAA launched a new ‘sign in to legal aid platform’ which replaces the portal.

It is being piloted with 70 firms.

This new secure platform will allow legal aid providers to login and access digital services such as Client and Cost Management System (CCMS), once they are available.

These include:

• introducing a paper application process for civil cases
• widening delegated functions to allow providers to approve applications and amendments whilst the system is down
• widening the definition of emergency applications to ensure critical cases can proceed under contingency protocols
• waive client contributions

Revised contingency arrangements

The LAA announced revised contingency arrangements.

Key changes took effect from 27 June.

Civil

• An extension of emergency certificate time limits
• New delegated powers to amend both emergency and substantive certificates
• Providers can handle some non-contentious withdrawals of legal aid
• Contributions on both existing and new certificates will be waived

Crime

• Providers will have delegated powers to grant legal aid for some magistrates’ court proceedings
• Providers will be authorised to withdraw legal aid in such cases
• Providers will be empowered to make decisions on committals for sentence

Contract management

• Annual contract manager visits scheduled for July and August may be postponed

The LAA also replaced its frequently asked questions page.

When the extent of the data breach was revealed on 19 May, our priorities included ensuring the LAA:

• urgently clarified billing arrangements
• informed legal aid providers about contingency measures
• understood the stress and financial impact on solicitors and firms

Following sustained pressure from us, the LAA:

• re-established regular monthly payments for legal help and crime lower work
• arranged for payment of Crown Court bills
• set up a contingency process for certificated work
• agreed to speak to HM Revenue and Customs to try to provide respite for firms in relation to VAT and tax payments due

On the civil side, we confirmed the contingency process would also take account of:

• payments on account of solicitors’ costs
• payments on account of disbursements

Value added tax (VAT)

Payments made under the civil contingency arrangements may include sums that would be due as VAT on a final bill.

We are currently seeking clarification as to VAT liability relating to these payments.

However, you should make sure you can meet your VAT liabilities when you are eventually able to submit your final bills.

Financial hardship

If you believe your firm will suffer undue hardship despite these payment arrangements, speak to your contract manager.

They may be able to provide further assistance.

We strongly recommend firms keep a record of any time and costs incurred as a result of the breach, in case it becomes appropriate to make a claim for compensation to the LAA.

Informing clients

As the data controller, the LAA is responsible for informing individuals whose personal data may have been affected by the breach.

The LAA has notified them through its public statement.

Firms do not need to take any additional action.

If your clients’ personal data may have been affected, the National Cyber Security Centre (NCSC) has guidance on how they can protect themselves from the impact of a data breach.

Responding to the breach

On 19 May, the LAA confirmed that a significant amount of personal data belonging to individuals who applied for legal aid through its digital service from 2010 onwards may have been stolen.

“It is extremely concerning that members of the public have had their personal data compromised in this cybersecurity incident and the LAA must get a grip on the situation immediately,” said Law Society president Richard Atkinson.

“It is the LAA’s responsibility to contact all the legal aid applicants whose data has been compromised.”

We emphasised the need for the LAA to provide clear and timely information to legal aid providers and to take urgent steps to prevent future breaches.

“Legal aid firms are small businesses providing an important public service and are operating on the margins of financial viability.

“Given that vulnerability, these financial security concerns are the last thing they need,” said Richard.

On 23 April 2025, the Ministry of Justice detected unusual activity in the LAA’s IT systems.

It notified stakeholders and legal aid providers of a suspected data breach at the end of April.