The UK Ministry of Justice (MoJ) has confirmed that a “significant amount of personal data” from legal aid applicants has been stolen in a cyberattack, sparking concerns over the potential misuse of sensitive information. The attack, which was first detected on April 23, was initially believed to be less severe, but further investigations revealed extensive damage and unauthorized access to a large amount of data related to applicants dating back to 2010.
The data breach affects individuals who applied for legal aid between 2010 and 2025, raising alarms over the potential exposure of personal details such as contact information, home addresses, birth dates, national identification numbers, and even financial history. Publicly available data shows that in the last reporting year from April 2023 to March 2024, there were a total of 388,888 legal aid claims, with 96 percent being granted, representing a 7 percent increase from the previous year. However, the exact number of individuals affected by the breach remains unspecified.
Reports indicate that approximately 2.1 million data points may have been stolen, although the MoJ has not confirmed this figure. The severity of the data breach is compounded by the sensitivity of the stolen information, which could be exploited for extortion not only against the MoJ but also against the individuals involved. Max Vetter, Vice President of Cyber at Immersive and an expert in the field, emphasized the trust clients place in legal service providers and the potential damage caused by such breaches. “The legal sector is attractive to cybercriminals because it holds large volumes of highly sensitive and confidential client data,” he explained.
In response to the breach, the MoJ is closely coordinating with the National Cyber Security Centre (NCSC) to enhance the security of its systems. Jane Harbottle, CEO of the Legal Aid Agency (LAA), expressed her deep regret over the incident, assuring affected individuals that measures are being taken to mitigate the risks associated with the stolen data. In light of the attack, the LAA has temporarily taken its online services offline, while contingency plans are being implemented to ensure continued access to legal support for those in need.
To safeguard their information, members of the public who applied for legal aid during the affected time period are encouraged to be vigilant for any suspicious activity, such as unexpected messages or phone calls. The MoJ has also directed individuals to the NCSC’s guidance on how to protect against potential scams that may arise from the data leak.
As the investigation continues, the MoJ assures the public that updates will be communicated promptly. This incident highlights an urgent need for robust data protection measures within the legal sector and emphasizes the continued risks posed by cybercriminals targeting organizations that handle sensitive personal information.