The cyber attack on the Legal Aid Agency (LAA) was a massive data breach and caused huge operational disruption. Mitigo outline the lessons that can be learned from the consequences of underinvestment in cyber risk management

What went wrong?

While initially it was believed that only law firm provider information had been compromised – a serious breach in itself – it soon emerged that hackers had accessed sensitive personal data from more than 2 million legal aid applications, dating back to 2010. This included names, addresses, national insurance numbers, criminal records and financial information.

The scale and nature of the exposed data is particularly concerning. Former National Cyber Security Centre (NCSC) head Ciaran Martin described it as “the more serious end of data breaches.” But beyond the headlines, this incident raises broader concerns for law firms, particularly those required to work within public sector systems that fall short of modern cyber security standards. For a profession that is held to ever-increasing standards of data protection, the question is: are the systems we rely on fit for purpose?

Legacy issues exposed

The breach reveals long-standing IT failings that the Ministry of Justice (MoJ) has been reluctant to address. Following the breach, Minister for Courts and Legal Services Sarah Sackman noted that the Law Society had warned in 2023 that the LAA’s infrastructure was “too fragile to cope.”

Despite numerous warnings and documented concerns, no decisive steps were taken to strengthen defences. Years of underinvestment, dependence on outdated legacy systems, and lack of proper maintenance left the agency vulnerable. In 2023–24 alone, the MoJ reported 12 cyber incidents – more than double the previous year. This wasn’t a matter of if, but when, a major breach would happen.

cyberstockphoto

Chaos and disruption

At the time of of writing, the LAA’s online portal remains offline, severely disrupting the processing of applications and payments. Legal aid providers – many operating on tight margins – are facing intense financial pressure, with some struggling to cover salaries.

The emotional toll on lawyers is palpable. Chris Minnoch, Chief Executive of the Legal Aid Practitioners Group, revealed that the body has received calls from “lawyers … in tears,” enduring sleepless nights as they await payments – raising fears that the legal aid scheme is “teetering on the precipice of collapse.”

Behind the scenes, the Law Society and the Bar Council have worked with the MoJ to introduce interim workarounds, including publishing payment schedules and lobbying HMRC for tax and VAT relief. These measures provide temporary relief but starkly underline an urgent need for robust, cyber-resilient planning.

Mr Minnoch called it “unforgivable” that an organisation of this size lacked a business continuity plan anticipating such a fallout.

Regulatory repercussions

The Ministry of Justice, as data controller for the LAA, promptly notified the Information Commissioner’s Office (ICO) of the breach. But disclosure is only the first step. The MoJ must now answer for systemic failings that enabled the attack, including outdated systems and inadequate cyber risk controls.

Since 2022, the ICO has taken a more lenient “public sector approach,” favouring reprimands and remediation over financial penalties to improve compliance without diverting public funds. The MoJ itself was reprimanded in 2023 for separate data handling failures.

However, leniency is not always guaranteed. In 2024, the ICO fined three public bodies, including £750,000 to the Police Service of Northern Ireland after a breach affecting 9,500 staff.

In the private sector, the bar is much higher. In 2025, the ICO fined software provider Advanced £3.07 million after security failings enabled a ransomware attack that exposed the data of over 79,000 individuals and severely disrupted NHS services. The original £6 million fine was halved due to the company’s cooperation with authorities.

How the ICO will respond to the MoJ over the LAA breach remains to be seen. But given the scale of disruption, the sensitivity of the data involved, and the reputational damage already done, the regulator may feel compelled to make an example of them so that steps are taken to make government digital services more resilient.

Rebuilding trust and resilience

The fallout from the LAA breach will be long-lasting – and we’re only seeing the beginning. Yet, it can be surmised that the breach will result in increased cyber security investment, legacy system modernisation, and mandatory cyber audits for justice-related agencies.

Although the LAA is not subject to the UK’s Network and Information Systems (NIS) Regulations 2018 – which set security and incident reporting requirements for essential service operators and digital providers – it is still expected to align with recognised frameworks such as the NCSC’s Cyber Assessment Framework (CAF) to benchmark its cyber defences and drive continuous improvement.

Coincidentally, and somewhat ironically, the breach struck in the same month the government launched its Cyber Governance Code of Practice, a board-level guide developed by the Department for Science, Innovation & Technology and the NCSC to improve cyber risk oversight, incident response and assurance across the private sector. It also came just as a policy statement was released on the Cyber Security and Resilience Bill, which will significantly expand the scope of the UK’s NIS regulations. This will bring managed service providers and other private-sector digital service suppliers under stricter regulatory oversight, recognising the risks they pose to client systems given the crucial part they play in supply chains.

Yet while government is telling private sector organisations to get their houses in order, one of its own most critical agencies has fallen short. The LAA breach highlights deep structural weaknesses in a system that, by the government’s own standards, should have been better protected. It’s a stark contradiction: championing resilience on paper while failing to deliver it in practice.

Government agencies can be slow and bureaucratic, but the private sector should not be. So, if you are less than 100% sure that your cyber risk management will keep you safe from attack, instruct experts to provide you with independent assurance without delay.

The Law Society has partnered with Mitigo to offer technical and cyber security services with exclusive discounts for our members. For more information contact Mitigo on 020 8191 9205 or email law-society@mitigogroup.com