The Legal Aid Agency had a Huge Data Breach... Here's What Happened
In the UK, you have a right to a lawyer. Whether you lack the funds to pay for legal representation, or lack the contacts to arrange one, you may be eligible to apply for help through the Legal Aid Agency (LAA). As you’d expect, LAA clients include some of the most vulnerable people in society, including innocent people who go on to be acquitted of any charge.
So what happens when the personal data of such vulnerable applicants is downloaded with the potential to be published on the dark web? It is reported that a black-hat hacker group called ‘Scattered Spider’ had gained access to the Legal Aid Agency’s computer network. Millions of pieces of information were reportedly exposed. We’re explaining what happened, who’s affected and, crucially, why this claim is so important.
What happened in the Legal Aid Agency Data Breach?
This was a significant breach. While the attack was discovered and disclosed in April 2025, the hackers had already been inside LAA’s systems for months. It’s believed that systems were first breached in December 2024 and data was exfiltrated – stolen – from January 2025 onwards. While LAA initially believed the breach to be limited, they later said that it was “more extensive than originally understood.”
According to media reports, over two million pieces of information dating as far back as 2007 may have been accessed and downloaded by the attackers.
What information was exposed?
- Name and contact information, such as email addresses and telephone numbers.
- National ID numbers
- Dates of birth
- Details about legal cases, historical and potentially ongoing
- Criminal or family history
- Employment status
- Financial data such as contribution amounts, debts and payments
- Information about your partner
- Anything else that might have been disclosed when applying for LAA services
It’s easy to see how such information could be used by bad actors. The exposure of sensitive personal information can increase the risk of identity fraud. Hackers are able to employ sophisticated phishing techniques and other forms of misuse that may inflict financial and emotional harm. Individuals concerned that their information may have been affected should remain vigilant and follow any guidance issued by the Legal Aid Agency.
Why is this breach so serious?
Appearing before the UK’s parliamentary Public Accounts Committee, LAA CEO Harbottle pointed to the agency’s outdated IT systems as one of the main reasons for the breach. In some cases, the retention of 18-year-old personal information was due to ongoing debt payments by certain clients, but it largely indicates a ‘legacy’ system being used long past its sell-by date.
This isn’t speculation: Harbottle told MPs that LAA was aware that its systems were outmoded and in need of an upgrade; in fact, it was during the system upgrade that the data breach was first discovered.
Why does this matter? It is reported that the government knew for years that its systems were vulnerable to attack and only took action on the issue when it was already too late. Now, the sensitive information of hundreds of thousands or potentially millions of people has been exposed.
It might seem like a lot of technical jargon, but data breach incidents can have significant real-world consequences. Depending on the nature of the information involved, individuals may experience anxiety, distress or concern about the potential misuse of their personal information. Where organisations fail to comply with their data protection obligations, affected individuals may have legal rights and remedies available to them. We deserve better from the government and its agencies and it’s important to hold them accountable.
Am I affected? What can I do?
If you applied for Legal Aid at any point between 2007 and 2025, you could be eligible to seek compensation. You may have received a letter or message saying your data was involved.
It’s not purely about financial losses incurred due to the data breach. In some circumstances, individuals may be able to seek compensation for non-material damage, including distress, anxiety or loss of control over their personal information, depending on the facts of the case.
LAA CEO Jane Harbottle has described the attack as “shocking and upsetting for some people” and the organization has advised any past or present applicants to be suspicious of strange activity and requests for personal information, saying “if you are in doubt about anyone you are communicating with online or over the phone you should verify their identity independently before providing any information to them.”
If you think you have a claim, you can check your eligibility for free. It only takes a few minutes.
Eligibility to pursue a claim will depend on the circumstances of your case and whether your information was affected by the incident.