Millions at risk after attackers steal UK legal aid data dating back 15 years
- Reference: 1747654568
- News link: https://www.theregister.co.uk/2025/05/19/legal_aid_agency_data_theft/
- Source link:
The announcement follows the initial news from May 6 of an attack on the UK's Legal Aid Agency (LAA), an MoJ-sponsored organization that allows legal aid workers to record their hours and bill the the government accordingly. The aid is means tested, granted to people on low incomes and with limited savings.
The attack itself was detected on April 23 but investigators found on May 16 that the damage was "more extensive than originally understood and that the group behind it had accessed a large amount of information relating to legal aid applicants."
[1]
Affected data goes back to 2010 and could include applicants' contact details, home addresses, dates of birth, national ID numbers, criminal histories, employment statuses, and financial data such as contribution amounts, debts, and payments.
[2]
[3]
As ever with data spillages, each individual is likely to be affected differently, with some having more personal data stolen than others.
The MoJ didn't specify the number of people believed to be affected, but [4]publicly available data [PDF] shows the number of legal aid claims made in the last reporting year – April 2023 to March 2024 – stood at 388,888, of which 96 percent were granted. This also represented a 7 percent increase in applications compared to the previous reporting year.
[5]
It should also be noted that each application may involve more than one individual.
The PA news agency reported that 2.1 million data points were stolen, although the MoJ has not officially corroborated this.
Other [6]data published by the MoJ shows that over £2 billion ($2.7 billion) was spent on legal aid between April 2023 and March 2024.
[7]
All members of the public who applied for legal aid between 2010 and 2025 were advised to be extra vigilant about suspicious activity such as unknown calls and messages, and advised to change their [8]passwords .
Max Vetter, VP of cyber at Immersive, who also spent years at the [9]Metropolitan Police and taught at the [10]GCHQ summer school, said that due to its sensitivity, the data could be used to extort not only the LAA but also the affected individuals.
[11]Broadcom employee data stolen by ransomware crooks following hit on payroll provider
[12]DoorDash scam used fake drivers, phantom deliveries to bilk $2.59M
[13]Cyber fiends battering UK retailers now turn to US stores
[14]Here's what we know about the DragonForce ransomware that hit Marks & Spencer
"The legal sector is built on trust, and clients expect that the personal information they share will remain safe," he added. "Therefore, when data is stolen, it is hugely damaging. The sector is attractive to cybercriminals because it holds large volumes of highly sensitive and confidential client data.
"For now, Legal is working quickly to alert consumers who are affected. Clear and actionable communications are essential after a breach, and customers will want strong assurances about the impact on their personal data and the steps they can take to protect themselves from any potential fallout."
The MoJ also directed the public to the National Cyber Security Centre's [15]guidance on protecting against scams following a data spillage.
"I understand this news will be shocking and upsetting for people, and I am extremely sorry this has happened," said Jane Harbottle, CEO at the LAA.
"Since the discovery of the attack, my team has been working around the clock with the [16]National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency.
"However, it has become clear that to safeguard the service and its users, we needed to take radical action. That is why we've taken the decision to take the online service down.
"We have put in place the necessary contingency plans to ensure those most in need of legal support and advice can continue to access the help they need during this time.
"I am incredibly grateful to legal aid providers for their patience and cooperation at a deeply challenging time.
"We will provide further updates shortly." ®
Get our [17]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aCtVnWbFpHz7u5rqzY9BJQAAAFM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCtVnWbFpHz7u5rqzY9BJQAAAFM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCtVnWbFpHz7u5rqzY9BJQAAAFM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://assets.publishing.service.gov.uk/media/6762a6dabe7b2c675de30725/LAA_DLAC_Annual_Report_2023-24.pdf
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCtVnWbFpHz7u5rqzY9BJQAAAFM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://data.justice.gov.uk/legalaid
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCtVnWbFpHz7u5rqzY9BJQAAAFM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/05/04/security_news_in_brief/
[9] https://www.theregister.com/2025/03/27/uk_facial_recognition/
[10] https://www.theregister.com/2025/04/01/student_gchq_theft/
[11] https://www.theregister.com/2025/05/16/broadcom_employee_data_stolen_by/
[12] https://www.theregister.com/2025/05/15/exdoordash_driver_scam/
[13] https://www.theregister.com/2025/05/15/cyber_scum_attacking_uk_retailers/
[14] https://www.theregister.com/2025/05/15/dragonforce_ransomware_uk_retail_attacks/
[15] https://www.ncsc.gov.uk/guidance/data-breaches
[16] https://www.theregister.com/2025/05/13/cisa_ncsc/
[17] https://whitepapers.theregister.com/
Re: National security
Don't worry.
They'll ask for the IT providers to agree to a voluntary agreement where they will endevour to make every possible effort to improve.
That'll fix it all right up!
Less data replication is a must
Too many organizations/businesses replicate and store PII unnecessarily.
I would prefer to have my PII being only stored by a few info-tech custodians, whom I trust anyway by daily smartphone usage. By seeing fk-ups daily I don't trust 99% of small or even large businesses handling my data securely. Gov organizations seem as bad.
Those 99% should only have my name, email address, or a service-specific alias + password and request access to PII every time they actually need it. The data should be immutable. Kind of a ledger. Business-specific stored data can be encrypted by each organization with private keys, so that other businesses or the data-custodians cannot read it.
The only role of the gov-IT must be creating and maintaining a shared access/log/replication service. And controlling a select few of big providers.
Each person must be his/her own data controller. Thus there would be millions of data controllers, instead of a few IT managers incapable to track everything.
The [1]Guardian is reporting that "[People in charge] knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act.”
But then, if the buildings are falling apart, do you expect the digital infrastructure to be any better repair? Our justice system needs investment.
[1] https://www.theguardian.com/law/2025/may/19/significant-amount-of-personal-data-accessed-in-legal-aid-agency-data-breach-says-moj
I wonder how many people have their CYA email trails to hand.
America also experienced this.
They can also get what ever kompromat on you from the court systems. America's court systems were also attacked in this manner. They hacked the court clerks and such. The law is extremely vulnerable because they are so reliant on technology, and hire out third parties for all their nefarious purposes. Outside of local jurisdiction companies also have their own "semi" security systems ( if it costs less). It's a mess, and everyone has been bought and sold. Technology is not your friend. It's being used against you.
This could get really ugly
Theft of Personal info is bad enough, but here it's almost the best case outcome! If anything relating to any case is included it will leave a lot of vulnerable people open to serious manipulation attempts.
"Hello Ms. Bloggs, I'm calling in regard to your recent case, new information has come to light, can you confirm some details for me please..."
Over two decades I was working on something of similar sensitivity. Everything was fenced off. Private network connections, security clearance for everyone working on it..Although the premises were used to handling secure stuff it had its own private local network etc.
Now let's just expose it to the internet because it's cheap and a whole lot less fuss.
I'd like to think heads will roll over it starting with whoever decided that an internet-accessible protal was a good idea but committees are great for spreading the blame and making it impossible to work out whose idea it was in the first place.
National security
Yet another breach. If I were a hostile state actor, this is exactly the kind of data I’d want - a detailed list of vulnerable individuals with financial or legal struggles. Perfect leverage. It’s not just a privacy issue, it’s a national security one.