Date
29 September 2025
Issue
The negative consequences faced by lawyers and clients due to the Legal Aid Agency cyberattack on the 23rd of April 2025.
Short Answer
The recent cyberattack on Legal Aid has left barristers and firms without access to a steady income for their legal aid work. Along with private data being accessed, vulnerable clients may be unable to access vital Legal Aid services. The incident has negatively impacted all parties involved in legal aid.
Overview of the Incident
The recent cyberattack on the Legal Aid Agency (LAA) service systems resulted in a “significant amount” of data, relating to legal aid applicants across England and Wales, being downloaded and accessed by a group of hackers. These systems are used to enable the LAA to authorise legal aid services for clients and pay those providing this service. The Ministry of Justice (MOJ) became aware of the incident on 23rd April, not realising the scale of the hack until May. The accessed data includes financial information, national insurance numbers and employment details. The MOJ believes the hackers acquired data from 2007 up to 16 May 2025 with the group claiming that they accessed over 2 million pieces of data.
Impact on Lawyers
Firms and barristers working in legal aid are undergoing financial hardship due to the obstruction to the LAA’s online systems. The cyberattack resulted in many barristers and firms facing payment delays with others unable to submit claims or invoices. The incident has sparked further concern amongst self-employed barristers who are struggling to pay their bills and are left to handle tax and VAT payments. The online systems being down has also increased administrative work for lawyers, potentially leading to legal aid applicants being turned away because of the backlog.
Jenny Beck KC with the family law firm Beck Fitzgerald has highlighted how this especially affects vulnerable people such as domestic violence victims. Consequently, the cyberattack has created unease and uncertainty around the future of publicly funded legal work.
What Support is Being Offered?
While legal aid providers wait for the LAA system to be repaired, the MOJ has introduced a contingency scheme to provide support for lawyers facing financial difficulties. This aims to support legal aid practitioners with weekly payments based on their average earnings from the three months before the cyberattack, but some have argued that this support falls short. Others are also hesitant to use the scheme as they fear potential clawbacks (repayments of overpaid sums).
Beck KC highlighted how the contingency arrangements are “likely to be the final straw for many”, as they are not nearly enough to compensate for the trouble firms and barristers have gone through to try and stay afloat. With legal aid already severely underfunded (especially due to the 2012 funding cuts), the cyberattack has only heightened the disincentive for lawyers to undertake legal aid work.
Vulnerabilities within the LAA’s Method of Data Protection
UK data protection is governed by the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The GDPR defines a ‘special category of data’ such as race, religion, health, political opinions etc. This data is treated with greater care because it can cause significant risks to the individual’s fundamental rights and freedoms.
As the Information Commissioner’s Office (ICO) is the UK’s regulator for data protection, they have highlighted that anyone using this personal data should have safeguards that include appropriate security “against unlawful or unauthorised processing”. An additional requirement suggests that information should not be kept for longer than is necessary.
This raises questions about whether the LAA met its GDPR obligations to secure and minimise the retention of data, especially considering special category data was stored on the LAA’s servers for up to 15 years, as suggested by Senior Associate Charlotte Dawes. Evidently, the cyberattack has created greater concerns around the LAA’s ability to protect data within GDPR regulations.
The Current Situation and Future Outlook
The LAA confirmed in August that the Client and Cost Management System is currently offline but will be available from mid to late September according to the MOJ. The LAA have also been working with the National Crime Agency and National Cyber Security Centre to enhance the systems security in light of the cyber security breach. Overall, the cyberattack has emphasised the urgent need to reform the LAA’s technical security systems. Another incident of this scale could further diminish the already limited pool of practitioners providing legal aid services.