In May 2025, the Legal Aid Agency (LAA) confirmed it had been the target of a cyber-attack that resulted in a major data breach. The incident forced the LAA to take its digital services offline and triggered contingency measures for legal aid providers.
04 Aug 2025
3 minutes read
We’ve been urging swift action from the LAA to restore services and minimise the fallout for solicitors and their clients.
Our key wins include:
- assurances that the LAA will not recoup payments if it disagrees with a firm’s use of delegated powers
- stronger contingency arrangements for civil cases
We continue to press for:
- fair compensation for the additional administrative burden
- an urgent interim billing process for civil cases
- timely restoration of all systems
- long‑term investment to ensure the LAA’s digital infrastructure is fit for purpose
Legal aid firms, who provide a vital public service, have been hit hard by this breach through no fault of their own.
Without urgent action, there is a risk that more firms will be forced out of this essential work, with serious consequences for access to justice.
This page sets out what we’re doing to advocate on behalf of our members, including raising your concerns and seeking answers to your questions.
If you’re a legal aid provider, explore the LAA’s official page on the cyber-attack for the latest operational guidance.
On this page:
- LAA confirms data breach goes back to 2007
- LAA announces portal replacement
- What we’ve been doing
- 10 steps to get the justice system back online
- Guidance on adjournments
LAA confirms data breach goes back to 2007
In July, the LAA told us compromised data includes client information from 2007 to 16 May 2025 (previously reported as 2010 onwards).
In some cases, information about partners of legal aid applicants is also included.
There is no evidence the data has been published.
If firms have already been taking steps to inform clients, they may wish to consider whether this development affects their approach.
We reiterate our previous guidance on members’ obligations to inform clients.
The LAA is responsible for informing individuals whose personal data may have been affected by the breach. Firms do not need to take additional action.
This remains unchanged.
We’re concerned that data going back 18 years was held on out-of-date IT systems that were clearly vulnerable to attack.
We’ve long raised concerns that the LAA’s IT systems are not fit for purpose and continue to press for long‑overdue investment to modernise them.
LAA announces portal replacement
The LAA will launch a new ‘sign in to legal aid platform’ which replaces the portal.
It is being piloted with 70 firms.
This new secure platform will allow legal aid providers to login and access digital services such as Client and Cost Management System (CCMS), once they are available.
No digital services will be available before September, with phased restoration planned.
Providers will be required to verify user details as part of onboarding to the new platform.
Further information about the rollout will be shared by the LAA in coming weeks.
From 24 July, the LAA will share weekly, rather than daily email updates.
Urgent updates will be sent when needed.
