Legal Aid Agency data breach
We’ve been urging swift action from the LAA to restore services and minimise the fallout for solicitors and their clients.
Our key wins include:
- assurances that the LAA will not recoup payments if it disagrees with a firm’s use of delegated powers
- stronger contingency arrangements for civil cases
We continue to press for:
- fair compensation for the additional administrative burden
- an urgent interim billing process for civil cases
- timely restoration of all systems
- long‑term investment to ensure the LAA’s digital infrastructure is fit for purpose
Legal aid firms, who provide a vital public service, have been hit hard by this breach through no fault of their own.
Without urgent action, there is a risk that more firms will be forced out of this essential work, with serious consequences for access to justice.
This page sets out what we’re doing to advocate on behalf of our members, including raising your concerns and seeking answers to your questions.
If you’re a legal aid provider, explore the LAA’s official page on the cyber-attack for the latest operational guidance.
On this page:
- LAA confirms data breach goes back to 2007
- LAA announces portal replacement
- What we've been doing
- 10 steps to get the justice system back online
- Guidance on adjournments
LAA confirms data breach goes back to 2007
In July, the LAA told us compromised data includes client information from 2007 to 16 May 2025 (previously reported as 2010 onwards).
In some cases, information about partners of legal aid applicants is also included.
There is no evidence the data has been published.
If firms have already been taking steps to inform clients, they may wish to consider whether this development affects their approach.
We reiterate our previous guidance on members’ obligations to inform clients.
The LAA is responsible for informing individuals whose personal data may have been affected by the breach. Firms do not need to take additional action.
This remains unchanged.
We’re concerned that data going back 18 years was held on out-of-date IT systems that were clearly vulnerable to attack.
We’ve long raised concerns that the LAA’s IT systems are not fit for purpose and continue to press for long‑overdue investment to modernise them.
LAA announces portal replacement
The LAA will launch a new ‘sign in to legal aid platform’ which replaces the portal.
It is being piloted with 70 firms.
This new secure platform will allow legal aid providers to login and access digital services such as Client and Cost Management System (CCMS), once they are available.
No digital services will be available before September, with phased restoration planned.
Providers will be required to verify user details as part of onboarding to the new platform.
Further information about the rollout will be shared by the LAA in coming weeks.
From 24 July, the LAA will share weekly, rather than daily email updates.
Urgent updates will be sent when needed.
What we've been doing
Our priorities include:
- pressing for a clear and published timeline for the full restoration of the LAA’s digital system, as part of the 10 steps being pursued
- securing assurances that the LAA will not recoup payments if it disagrees with a firm’s use of delegated powers
- calling for the urgent implementation of a contingency billing process for civil cases
- seeking a fair and realistic recoupment timetable for contingency payments, considering the substantial backlog of bills that will remain after the system is restored
- continuing to push for appropriate compensation for providers to reflect the financial impact of the outage
These include:
- introducing a paper application process for civil cases
- widening delegated functions to allow providers to approve applications and amendments whilst the system is down
- widening the definition of emergency applications to ensure critical cases can proceed under contingency protocols
- waive client contributions
Revised contingency arrangements
The LAA announced revised contingency arrangements.
Key changes took effect from 27 June.
Civil
- An extension of emergency certificate time limits
- New delegated powers to amend both emergency and substantive certificates
- Providers can handle some non-contentious withdrawals of legal aid
- Contributions on both existing and new certificates will be waived
Crime
- Providers will have delegated powers to grant legal aid for some magistrates’ court proceedings
- Providers will be authorised to withdraw legal aid in such cases
- Providers will be empowered to make decisions on committals for sentence
Contract management
- Annual contract manager visits scheduled for July and August may be postponed
The LAA also replaced its frequently asked questions page.
When the extent of the data breach was revealed on 19 May, our priorities included ensuring the LAA:
- urgently clarified billing arrangements
- informed legal aid providers about contingency measures
- understood the stress and financial impact on solicitors and firms
Following sustained pressure from us, the LAA:
- re-established regular monthly payments for legal help and crime lower work
- arranged for payment of Crown Court bills
- set up a contingency process for certificated work
- agreed to speak to HM Revenue and Customs to try to provide respite for firms in relation to VAT and tax payments due
On the civil side, we confirmed the contingency process would also take account of:
- payments on account of solicitors’ costs
- payments on account of disbursements
Value added tax (VAT)
Payments made under the civil contingency arrangements may include sums that would be due as VAT on a final bill.
We are currently seeking clarification as to VAT liability relating to these payments.
However, you should make sure you can meet your VAT liabilities when you are eventually able to submit your final bills.
Financial hardship
If you believe your firm will suffer undue hardship despite these payment arrangements, speak to your contract manager.
They may be able to provide further assistance.
We strongly recommend firms keep a record of any time and costs incurred as a result of the breach, in case it becomes appropriate to make a claim for compensation to the LAA.
Informing clients
As the data controller, the LAA is responsible for informing individuals whose personal data may have been affected by the breach.
The LAA has notified them through its public statement.
Firms do not need to take any additional action.
If your clients’ personal data may have been affected, the National Cyber Security Centre (NCSC) has guidance on how they can protect themselves from the impact of a data breach.
Responding to the breach
On 19 May, the LAA confirmed that a significant amount of personal data belonging to individuals who applied for legal aid through its digital service from 2010 onwards may have been stolen.
“It is extremely concerning that members of the public have had their personal data compromised in this cybersecurity incident and the LAA must get a grip on the situation immediately,” said Law Society president Richard Atkinson.
“It is the LAA’s responsibility to contact all the legal aid applicants whose data has been compromised.”
We emphasised the need for the LAA to provide clear and timely information to legal aid providers and to take urgent steps to prevent future breaches.
“Legal aid firms are small businesses providing an important public service and are operating on the margins of financial viability.
“Given that vulnerability, these financial security concerns are the last thing they need,” said Richard.
On 23 April 2025, the Ministry of Justice detected unusual activity in the LAA’s IT systems.
It notified stakeholders and legal aid providers of a suspected data breach at the end of April.
Our calls to get the justice system back online
We're lobbying the UK government, the judiciary and the LAA to take 10 essential steps.
1. Get the LAA’s IT operational again
The LAA must set out a timetable for restoring online services.
2. Streamline contingency arrangements and put trust in legal aid providers
The LAA should delegate grants of legal aid for:
- criminal cases in the magistrates’ courts
- extensions and amendments to grants of legal aid in civil cases
- initial grants in non-means, no merit tested cases (for example, care proceedings)
- judicial review
A provider’s decision under delegated powers should be final.
The only exceptions should be if the grant of legal aid exceeds their legal authority or is made in bad faith.
3. Ensure vital representation in the courts and protect vulnerable individuals
Following guidance from the senior presiding judge, the courts should actively monitor the data breach’s impact on the effectiveness of court hearings.
4. Provide full transparency on what data was accessed and how it was secured
Why the LAA held data going back to 2010 and whether it complied with General Data Protection Regulation (GDPR) is unclear.
We need to know what, if any, third-party data was accessed.
This could include the personal details of opponents, children, victims of crime or expert witnesses.
5. Provide clearer support to vulnerable people affected by the breach
The LAA must do more to inform survivors of domestic abuse and other at-risk groups that their data was breached.
This means going beyond the minimum legal requirement, which is to issue a public statement.
6. Reimburse and compensate legal aid providers for disruption caused
The LAA must provide fair compensation to firms for losses suffered due to the shutdown.
7. Consider future reform of key systems
The cyber-attack and its aftermath showed the LAA’s systems to be complex, opaque and bureaucratic.
Any new system must be simpler. It should place greater trust in the professionals who use it and meet the needs of all clients.
8. Provide funding for urgent IT upgrades
We sounded the alarm for years about the LAA’s antiquated and unreliable IT systems.
Theses have already hindered reforms to the legal aid means test.
The UK government must now commit new funding to upgrade these vital systems.
9. Commission a full review
The MoJ must commission a review of the LAA’s response to the data breach.
The lessons and recommendations should inform contingency planning across government to prepare for future breaches.
10. Ensure a sustainable future for legal aid providers
We have warned for years that the situation for legal aid providers is unsustainable.
The shutdown further exposed their lack of economic resilience.
For some, the loss of a single month’s payments meant they couldn’t cover salaries.
This is a clear warning to the UK government – legal aid needs a sustainable future.
Guidance on adjournments
The senior presiding judge issued guidance to courts covering how adjournment requests should be managed in cases where an individual is unable to secure legal aid.
Share your experiences
We want to hear how the disruption is affecting frontline solicitors and their clients.
This helps us prioritise the right areas for action.
Share your experiences with us
We are unable to respond to individual queries about the data breach but we are working hard to raise your concerns with the LAA and MoJ.