New details about the cyber attack on the Legal Aid Agency (LAA) reveal that hackers had access to sensitive systems for months before the breach was detected—raising fresh concerns for anyone whose personal data may have been stored on LAA systems.
According to the LAA’s newly published annual report, the attack discovered in April 2025 actually began much earlier. Systems were first breached in December 2024, with data exfiltrated from January 2025.
That means hackers may have accessed personal information for up to four months before the LAA became aware.
What this means for people whose data may be held by the LAA
The LAA holds a significant amount of sensitive information. Depending on the type of legal aid application, this could include:
- Names, addresses and contact details
- Financial eligibility information
- National insurance numbers
- Supporting documents (bank statements, ID documents, payslips, benefits information)
- Case details and correspondence.
A long-running breach makes it more likely that data was accessed, copied, or shared elsewhere online before the attack was contained.
The LAA has confirmed that data was exfiltrated, but has not yet detailed exactly what was taken, whose data was involved, or the scale of exposure. These are key questions many victims will now want answers to.
Why the timeline matters
The LAA originally announced that it became aware of the attack on 23 April 2025. For months, the understanding was that the incident was sudden and contained relatively quickly.
But the new timeline—showing a breach beginning in December 2024—raises important concerns:
- Longer access means greater risk of sensitive data being copied
- Victims may have been unaware and unprotected for months
- Potential misuse of stolen data may only now be coming to light
- People may need to stay alert for fraud attempts triggered by older stolen information.
The LAA has recommended that everyone who applied for legal aid since 2007 take precautions.
If you applied for legal aid, submitted documents digitally, or communicated with the LAA during this period, you may reasonably worry whether your information is among the data stolen.
The Ministry of Justice acknowledges the seriousness of the incident. However, the LAA has not yet issued direct notifications to all individuals whose data may have been affected, nor provided a complete breakdown of what was taken. The ICO investigation continues.
What victims can do now
While the situation is still developing, there are steps anyone who may be affected can take:
- Monitor bank accounts and credit reports for unfamiliar activity
- Be alert to scam calls, texts or emails, especially those claiming to be from the LAA, law firms, or government bodies
- Change passwords if you reused login details used anywhere near the time of your legal aid application
- Keep an eye on official updates—whether from the MoJ, LAA or the ICO.
Victims of the Legal Aid data breach could be due compensation
If evidence emerges that sensitive data was compromised, individuals may have grounds to seek redress under data protection law. Similar incidents involving public bodies have previously led to successful compensation claims.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
