LONDON — A massive cyberattack on the Legal Aid Agency has compromised more than two million pieces of sensitive data, including personal information of domestic abuse victims, the Ministry of Justice (MoJ) confirmed on Monday.
The breach, which occurred in April but has only recently been revealed to be far more severe than initially believed, has affected records dating back as far as 2010.
The exposed data spans the entire spectrum of the legal aid system, encompassing applicants involved in family law, criminal defence, and cases involving discrimination or abuse.
In a statement, the MoJ acknowledged that the hacked information may include full names, home addresses, dates of birth, national identification numbers, criminal history, employment records, and financial data such as debt and payment details.
“This data may have included highly sensitive and personal information,” the ministry said. “We understand this will be deeply distressing for many of the individuals affected.”
Legal Aid Agency Chief Executive Jane Harbottle issued an apology, stating: “We are incredibly sorry for what has happened. We understand this news will be shocking and upsetting for people who have used our services, particularly those in vulnerable circumstances.”
The MoJ also revealed that while the breach was first detected in April, the full scale of the incident only became clear after an in-depth forensic investigation. Authorities now believe the attack was part of a broader, coordinated campaign targeting critical infrastructure and public sector systems.
The National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) are actively investigating the incident. The Information Commissioner’s Office (ICO) has also been notified, as required under data protection laws.
In response to the breach, the Legal Aid Agency’s online digital services have been taken offline. These systems are used by legal aid providers to log cases and request government payments, meaning the outage could have a knock-on effect on access to justice.
The MoJ urged all individuals who may have been affected to remain vigilant and watch for signs of suspicious activity, including unusual phone calls or messages.
“If you are in doubt about anyone you are communicating with online or over the phone, you should verify their identity independently before providing any information,” the ministry advised. Affected individuals are also encouraged to update any passwords that may have been exposed.
This breach is the latest in a string of cyberattacks targeting UK organisations. Earlier this month, luxury retailer Harrods restricted internet access at its stores after an attempted system breach.
Marks & Spencer suffered significant financial losses due to a cyberattack in April, while the Co-op faced widespread disruptions to its supply chain after being hit.
Legal aid plays a crucial role in the UK’s justice system, supporting those who cannot afford legal representation, including victims of abuse, those at risk of serious harm, and individuals facing criminal prosecution.
As investigations continue, questions are mounting over how such a critical system could be left vulnerable to attack — and how long it will take to rebuild public trust in its ability to protect the most vulnerable.
