Legal Aid Agency data breach
Since then, we’ve been urging swift action from the LAA to restore services and minimise the fallout for solicitors and their clients.
Our president, Richard Atkinson, leads this engagement, which includes regular meetings with LAA chief executive Jane Harbottle and her officials.
We're also making strong representations to Ministry of Justice (MoJ) ministers, MPs and the media about the serious ongoing impacts of the shutdown.
This page sets out what we’re doing to advocate on behalf of our members, including raising your concerns and seeking answers to your questions.
We want to hear how the disruption is affecting frontline solicitors and their clients. This helps us prioritise the right areas for action.
Share your experiences with us
If you’re a legal aid provider, explore the LAA’s official page on the cyber-attack for the latest operational guidance.
Revised contingency arrangements
The LAA has announced revised contingency arrangements.
Key changes will take effect from 27 June.
Civil
- An extension of emergency certificate time limits
- New delegated powers to amend both emergency and substantive certificates
- Providers can handle some non-contentious withdrawals of legal aid
- Contributions on both existing and new certificates will be waived
Crime
- Providers will have delegated powers to grant legal aid for some magistrates’ court proceedings
- Providers will be authorised to withdraw legal aid in such cases
- Providers will be empowered to make decisions on committals for sentence
Contract management
- Annual contract manager visits scheduled for July and August may be postponed
The LAA also replaced its frequently asked questions page.
Our calls to get the justice system back online
We're lobbying the UK government, the judiciary and the LAA to take 10 essential steps.
1. Get the LAA’s IT operational again
The LAA must set out a timetable for restoring online services.
2. Streamline contingency arrangements and put trust in legal aid providers
The LAA should delegate grants of legal aid for:
- criminal cases in the magistrates’ courts
- extensions and amendments to grants of legal aid in civil cases
- initial grants in non-means, no merit tested cases (for example, care proceedings)
- judicial review
A provider’s decision under delegated powers should be final.
The only exceptions should be if the grant of legal aid exceeds their legal authority or is made in bad faith.
3. Ensure vital representation in the courts and protect vulnerable individuals
Following guidance from the senior presiding judge, the courts should actively monitor the data breach’s impact on the effectiveness of court hearings.
4. Provide full transparency on what data was accessed and how it was secured
Why the LAA held data going back to 2010 and whether it complied with General Data Protection Regulation (GDPR) is unclear.
We need to know what, if any, third-party data was accessed.
This could include the personal details of opponents, children, victims of crime or expert witnesses.
5. Provide clearer support to vulnerable people affected by the breach
The LAA must do more to inform survivors of domestic abuse and other at-risk groups that their data was breached.
This means going beyond the minimum legal requirement, which is to issue a public statement.
6. Reimburse and compensate legal aid providers for disruption caused
The LAA must provide fair compensation to firms for losses suffered due to the shutdown.
7. Consider future reform of key systems
The cyber-attack and its aftermath showed the LAA’s systems to be complex, opaque and bureaucratic.
Any new system must be simpler. It should place greater trust in the professionals who use it and meet the needs of all clients.
8. Provide funding for urgent IT upgrades
We sounded the alarm for years about the LAA’s antiquated and unreliable IT systems.
Theses have already hindered reforms to the legal aid means test.
The UK government must now commit new funding to upgrade these vital systems.
9. Commission a full review
The MoJ must commission a review of the LAA’s response to the data breach.
The lessons and recommendations should inform contingency planning across government to prepare for future breaches.
10. Ensure a sustainable future for legal aid providers
We have warned for years that the situation for legal aid providers is unsustainable.
The shutdown further exposed their lack of economic resilience.
For some, the loss of a single month’s payments meant they couldn’t cover salaries.
This is a clear warning to the UK government – legal aid needs a sustainable future.
Guidance on adjournments
The senior presiding judge issued guidance to courts covering how adjournment requests should be managed in cases where an individual is unable to secure legal aid.
What we've been doing
When the extent of the data breach was revealed on 19 May, our priorities included ensuring the LAA:
- urgently clarified billing arrangements
- informed legal aid providers about contingency measures
- understood the stress and financial impact on solicitors and firms
Following sustained pressure from us, the LAA:
- re-established regular monthly payments for legal help and crime lower work
- arranged for payment of Crown Court bills
- set up a contingency process for certificated work
- agreed to speak to HM Revenue & Customs to try to provide respite for firms in relation to VAT and tax payments due
On the civil side, we confirmed the contingency process would also take account of:
- payments on account of solicitors’ costs
- payments on account of disbursements
Value added tax (VAT)
Payments made under the civil contingency arrangements may include sums that would be due as VAT on a final bill.
We do not believe VAT is due on these payments.
However, you should make sure you can meet your VAT liabilities when you are eventually able to submit your final bills.
Financial hardship
If you believe your firm will suffer undue hardship despite these payment arrangements, speak to your contract manager.
They may be able to provide further assistance.
We strongly recommend firms keep a record of any time and costs incurred as a result of the breach, in case it becomes appropriate to make a claim for compensation to the LAA.
Informing clients
As the data controller, the LAA is responsible for informing individuals whose personal data may have been affected by the breach.
The LAA has notified them through its public statement.
Firms do not need to take any additional action.
If your clients’ personal data may have been affected, the National Cyber Security Centre (NCSC) has guidance on how they can protect themselves from the impact of a data breach.
Responding to the breach
On 19 May, the LAA confirmed that a significant amount of personal data belonging to individuals who applied for legal aid through its digital service from 2010 onwards may have been stolen.
“It is extremely concerning that members of the public have had their personal data compromised in this cybersecurity incident and the LAA must get a grip on the situation immediately,” said Law Society president Richard Atkinson.
“It is the LAA’s responsibility to contact all the legal aid applicants whose data has been compromised.”
We emphasised the need for the LAA to provide clear and timely information to legal aid providers and to take urgent steps to prevent future breaches.
“Legal aid firms are small businesses providing an important public service and are operating on the margins of financial viability.
“Given that vulnerability, these financial security concerns are the last thing they need,” said Richard.
On 23 April 2025, the Ministry of Justice detected unusual activity in the LAA’s IT systems.
They notified stakeholders and legal aid providers of a suspected data breach at the end of April.