Legal Aid Agency data breach

In May 2025, the Legal Aid Agency (LAA) confirmed it had been the target of a cyber-attack that resulted in a major data breach. The incident forced the LAA to take its digital services offline and triggered contingency measures for legal aid providers.

We’ve been urging swift action from the LAA to restore services and minimise the fallout for solicitors and their clients.

Our key wins include:

  • assurances that the LAA will not recoup payments if it disagrees with a firm’s use of delegated powers
  • stronger contingency arrangements for civil cases

We continue to press for:

  • fair compensation for the additional administrative burden
  • an urgent interim billing process for civil cases
  • timely restoration of all systems
  • long‑term investment to ensure the LAA’s digital infrastructure is fit for purpose

Legal aid firms, who provide a vital public service, have been hit hard by this breach through no fault of their own.

Without urgent action, there is a risk that more firms will be forced out of this essential work, with serious consequences for access to justice.

This page sets out what we’re doing to advocate on behalf of our members, including raising your concerns and seeking answers to your questions.

If you’re a legal aid provider, explore the LAA’s official page on the cyber-attack for the latest operational guidance.

On this page:

LAA confirms data breach goes back to 2007

In July, the LAA told us compromised data includes client information from 2007 to 16 May 2025 (previously reported as 2010 onwards).

In some cases, information about partners of legal aid applicants is also included.

There is no evidence the data has been published.

If firms have already been taking steps to inform clients, they may wish to consider whether this development affects their approach.

We reiterate our previous guidance on members’ obligations to inform clients.

The LAA is responsible for informing individuals whose personal data may have been affected by the breach. Firms do not need to take additional action.

This remains unchanged.

We’re concerned that data going back 18 years was held on out-of-date IT systems that were clearly vulnerable to attack.

We’ve long raised concerns that the LAA’s IT systems are not fit for purpose and continue to press for long‑overdue investment to modernise them.

LAA announces portal replacement

The LAA will launch a new ‘sign in to legal aid platform’ which replaces the portal.

It is being piloted with 70 firms.

This new secure platform will allow legal aid providers to login and access digital services such as Client and Cost Management System (CCMS), once they are available.

No digital services will be available before September, with phased restoration planned.

Providers will be required to verify user details as part of onboarding to the new platform.

Further information about the rollout will be shared by the LAA in coming weeks.

From 24 July, the LAA will share weekly, rather than daily email updates.

Urgent updates will be sent when needed. 

What we've been doing

We continue to lobby the Legal Aid Agency to address the issue raised by our members on the operational impact of the system outage.

Our priorities include:

  • pressing for a clear and published timeline for the full restoration of the LAA’s digital system, as part of the 10 steps being pursued
  • securing assurances that the LAA will not recoup payments if it disagrees with a firm’s use of delegated powers
  • calling for the urgent implementation of a contingency billing process for civil cases
  • seeking a fair and realistic recoupment timetable for contingency payments, considering the substantial backlog of bills that will remain after the system is restored
  • continuing to push for appropriate compensation for providers to reflect the financial impact of the outage

We welcome the implementation of contingency measures, which follow our ongoing lobbying and advocacy on behalf of our members.

These include:

  • introducing a paper application process for civil cases
  • widening delegated functions to allow providers to approve applications and amendments whilst the system is down
  • widening the definition of emergency applications to ensure critical cases can proceed under contingency protocols
  • waive client contributions

Revised contingency arrangements

The LAA announced revised contingency arrangements.

Key changes took effect from 27 June.

Civil
  • An extension of emergency certificate time limits
  • New delegated powers to amend both emergency and substantive certificates
  • Providers can handle some non-contentious withdrawals of legal aid
  • Contributions on both existing and new certificates will be waived
Crime
  • Providers will have delegated powers to grant legal aid for some magistrates’ court proceedings
  • Providers will be authorised to withdraw legal aid in such cases
  • Providers will be empowered to make decisions on committals for sentence
Contract management
  • Annual contract manager visits scheduled for July and August may be postponed

The LAA also replaced its frequently asked questions page.

We responded to the breach, filled critical information gaps for legal aid providers and clarified urgent billing arrangements and other contingency measures.

When the extent of the data breach was revealed on 19 May, our priorities included ensuring the LAA:

  • urgently clarified billing arrangements
  • informed legal aid providers about contingency measures
  • understood the stress and financial impact on solicitors and firms

Following sustained pressure from us, the LAA:

  • re-established regular monthly payments for legal help and crime lower work
  • arranged for payment of Crown Court bills
  • set up a contingency process for certificated work
  • agreed to speak to HM Revenue and Customs to try to provide respite for firms in relation to VAT and tax payments due

On the civil side, we confirmed the contingency process would also take account of:

  • payments on account of solicitors’ costs
  • payments on account of disbursements

Value added tax (VAT)

Payments made under the civil contingency arrangements may include sums that would be due as VAT on a final bill.

We are currently seeking clarification as to VAT liability relating to these payments.

However, you should make sure you can meet your VAT liabilities when you are eventually able to submit your final bills.

Financial hardship

If you believe your firm will suffer undue hardship despite these payment arrangements, speak to your contract manager.

They may be able to provide further assistance.

We strongly recommend firms keep a record of any time and costs incurred as a result of the breach, in case it becomes appropriate to make a claim for compensation to the LAA.

Informing clients

As the data controller, the LAA is responsible for informing individuals whose personal data may have been affected by the breach.

The LAA has notified them through its public statement.

Firms do not need to take any additional action.

If your clients’ personal data may have been affected, the National Cyber Security Centre (NCSC) has guidance on how they can protect themselves from the impact of a data breach.

Responding to the breach

On 19 May, the LAA confirmed that a significant amount of personal data belonging to individuals who applied for legal aid through its digital service from 2010 onwards may have been stolen.

“It is extremely concerning that members of the public have had their personal data compromised in this cybersecurity incident and the LAA must get a grip on the situation immediately,” said Law Society president Richard Atkinson.

“It is the LAA’s responsibility to contact all the legal aid applicants whose data has been compromised.”

We emphasised the need for the LAA to provide clear and timely information to legal aid providers and to take urgent steps to prevent future breaches.

“Legal aid firms are small businesses providing an important public service and are operating on the margins of financial viability.

“Given that vulnerability, these financial security concerns are the last thing they need,” said Richard.

Suspected data breach detected at the LAA.

On 23 April 2025, the Ministry of Justice detected unusual activity in the LAA’s IT systems.

It notified stakeholders and legal aid providers of a suspected data breach at the end of April.

Our calls to get the justice system back online

We're lobbying the UK government, the judiciary and the LAA to take 10 essential steps.

1. Get the LAA’s IT operational again

The LAA must set out a timetable for restoring online services.

2. Streamline contingency arrangements and put trust in legal aid providers

The LAA should delegate grants of legal aid for:

  • criminal cases in the magistrates’ courts
  • extensions and amendments to grants of legal aid in civil cases
  • initial grants in non-means, no merit tested cases (for example, care proceedings)
  • judicial review

A provider’s decision under delegated powers should be final.

The only exceptions should be if the grant of legal aid exceeds their legal authority or is made in bad faith.

3. Ensure vital representation in the courts and protect vulnerable individuals

Following guidance from the senior presiding judge, the courts should actively monitor the data breach’s impact on the effectiveness of court hearings.

4. Provide full transparency on what data was accessed and how it was secured

Why the LAA held data going back to 2010 and whether it complied with General Data Protection Regulation (GDPR) is unclear.

We need to know what, if any, third-party data was accessed.

This could include the personal details of opponents, children, victims of crime or expert witnesses.

5. Provide clearer support to vulnerable people affected by the breach

The LAA must do more to inform survivors of domestic abuse and other at-risk groups that their data was breached.

This means going beyond the minimum legal requirement, which is to issue a public statement.

6. Reimburse and compensate legal aid providers for disruption caused

The LAA must provide fair compensation to firms for losses suffered due to the shutdown.

7. Consider future reform of key systems

The cyber-attack and its aftermath showed the LAA’s systems to be complex, opaque and bureaucratic.

Any new system must be simpler. It should place greater trust in the professionals who use it and meet the needs of all clients.

8. Provide funding for urgent IT upgrades

We sounded the alarm for years about the LAA’s antiquated and unreliable IT systems.

Theses have already hindered reforms to the legal aid means test.

The UK government must now commit new funding to upgrade these vital systems.

9. Commission a full review

The MoJ must commission a review of the LAA’s response to the data breach.

The lessons and recommendations should inform contingency planning across government to prepare for future breaches.

10. Ensure a sustainable future for legal aid providers

We have warned for years that the situation for legal aid providers is unsustainable.

The shutdown further exposed their lack of economic resilience.

For some, the loss of a single month’s payments meant they couldn’t cover salaries.

This is a clear warning to the UK government – legal aid needs a sustainable future.

Guidance on adjournments

The senior presiding judge issued guidance to courts covering how adjournment requests should be managed in cases where an individual is unable to secure legal aid.

Share your experiences

We want to hear how the disruption is affecting frontline solicitors and their clients.

This helps us prioritise the right areas for action.

Share your experiences with us

We are unable to respond to individual queries about the data breach but we are working hard to raise your concerns with the LAA and MoJ.