A major cyberattack on the Ministry of Justice has led to the unauthorised access and download of what is being described as a “significant amount of personal data” from the Legal Aid Agency, including criminal records and sensitive financial information.
The breach affects individuals who applied for legal aid over the past 15 years. According to the Ministry, the exposed data may include:
Full names and contact details Dates of birth and National Insurance numbers Employment status Financial data, including debt and contribution information Criminal history linked to applications
A group has claimed responsibility for the attack and says it accessed 2.1 million pieces of data. However, that figure has not yet been verified by the Ministry of Justice.
The government reportedly became aware of the breach on 23 April, but it was not until Friday 17 May that the full extent of the compromise became clear.
An MoJ source has attributed the breach to longstanding vulnerabilities, stating that the incident was the result of “neglect and mismanagement” under previous leadership. Security flaws in the Legal Aid Agency’s systems are said to have been known for several years but not adequately addressed.
The Legal Aid Agency (LAA), which oversees the administration of legal aid in England and Wales, operates under the Ministry of Justice. In 2023/24, the LAA managed approximately £2.3 billion in legal aid funding.
In response to the breach, the MoJ is advising anyone who applied for legal aid since 2010 to:
Update passwords, particularly if reused across accounts Remain alert to suspicious emails, phone calls or text messages Monitor financial accounts for unusual activity
An internal investigation is ongoing, and relevant authorities have been informed. The Information Commissioner’s Office (ICO) is expected to assess whether data protection regulations were breached.
At the time of writing, there is no public indication that the stolen data has been released or sold. However, cyber experts warn that the sensitivity of the information involved could make individuals vulnerable to fraud, phishing, and identity theft.
The Ministry of Justice has yet to confirm when affected individuals will be contacted directly or how support will be provided to those impacted