UK Ministry of Justice Faces Criticism Over £50M Cybersecurity Failures in Legal Aid Agency Breach
The UK’s Ministry of Justice (MoJ) spent £50 million ($67 million) on cybersecurity upgrades for the Legal Aid Agency (LAA) before a major cyberattack exposed critical vulnerabilities, according to a report by the Public Accounts Committee (PAC). Despite the investment, the attack—described as one of the most sensitive in British history—went undetected for four months, raising concerns over the MoJ’s risk management.
The LAA’s cybersecurity risks had been flagged as "extremely high" on its risk register since 2021, prompting three rounds of funding (£8.5M, £10.5M, and £32M) to address gaps. However, the attack began in December 2024 and was only discovered in April 2025, with servers taken offline nearly a month later in May. A portion of the £10.5M funding was used to deploy a new threat detection system, though its operational timeline remains unclear.
The breach’s full scope emerged on May 16, 2025, when investigators confirmed attackers had accessed not only legal aid providers’ financial data but also sensitive information on legal aid applicants. The LAA immediately shut down systems, secured an injunction to prevent data leaks, and activated contingency measures. While no providers exited the market, the disruption forced manual processes, straining legal sector workers and delaying case management.
To maintain operations, the LAA issued average monthly payments to providers based on pre-attack data, later recovering funds at a 25% rate—meaning a 20-week contingency period would take 20 months to recoup. MoJ permanent secretary Dr. Jo Farrar acknowledged the LAA may require additional funding to fully modernize its IT systems, though budget allocations remain uncertain.
The PAC report criticized the MoJ’s handling of the incident, questioning public confidence in its ability to secure personal data. Farrar defended the department’s efforts, citing a comprehensive review of all systems and ongoing investments to counter increasingly sophisticated threats. However, the attack underscores persistent risks in high-priority government systems.
Source: https://www.theregister.com/2026/01/07/legal_aid_agency_attack/
Ministry of Justice UK cybersecurity rating report: https://www.rankiteo.com/company/uk-ministry-of-justice
"id": "UK-1767792855",
"linkid": "uk-ministry-of-justice",
"type": "Cyber Attack",
"date": "12/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Legal aid applicants, legal aid '
'providers',
'industry': 'Legal, Public Sector',
'location': 'United Kingdom',
'name': 'Legal Aid Agency (LAA)',
'type': 'Government Agency'}],
'customer_advisories': 'Legal aid providers informed in April 2025 about '
'potential financial data exposure; further updates in '
'May 2025 regarding legal aid applicant data',
'data_breach': {'data_exfiltration': 'Yes (potential publication on the '
'web/dark web)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Legal aid applicant data',
'Legal aid provider financial '
'data',
'Personally identifiable '
'information']},
'date_detected': '2025-04',
'date_publicly_disclosed': '2025-10',
'description': "The UK's Ministry of Justice (MoJ) disclosed a high-profile "
'cyberattack on the Legal Aid Agency (LAA) after spending £50 '
'million on cybersecurity improvements. The attack, considered '
'one of the most sensitive in British history, began in '
'December 2024 but was not detected until April 2025. The LAA '
'initially underestimated the extent of the breach, later '
'discovering that legal aid applicant data was compromised. '
'Systems were taken offline in May 2025, and contingency '
'measures were enacted to maintain access to legal aid '
'services.',
'impact': {'brand_reputation_impact': "Loss of public confidence in MoJ's "
'ability to secure personal data',
'data_compromised': 'Legal aid applicant data, legal aid provider '
'financial data (account and transaction '
'data), personally identifiable information',
'downtime': 'Systems taken offline in May 2025; manual processes '
'implemented',
'financial_loss': '£50 million spent on cybersecurity '
'improvements; overpayment to legal aid '
'providers during contingency period',
'identity_theft_risk': 'High (personally identifiable information '
'compromised)',
'operational_impact': 'Manual processes for managing caseloads, '
'delayed recovery of overpaid funds (20 '
'months estimated), profound impact on legal '
"sector workers' wellbeing",
'payment_information_risk': 'High (financial data such as account '
'and transaction data accessed)',
'systems_affected': 'LAA servers, legal aid systems'},
'initial_access_broker': {'data_sold_on_dark_web': 'Potential (injunction '
'obtained to prevent '
'publication)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Underestimation of breach extent, delays in detection and '
'response, need for accelerated IT transformation and '
'additional funding for cybersecurity improvements',
'motivation': 'Criminal purposes',
'post_incident_analysis': {'corrective_actions': 'Implementation of new '
'threat detection system, '
'contingency measures, '
'manual processes, recovery '
'of overpaid funds, '
'comprehensive review of MoJ '
'systems',
'root_causes': 'Security shortcomings identified '
'since 2021, delayed threat '
'detection, underestimation of '
'breach extent, delayed system '
'shutdown'},
'ransomware': {'data_exfiltration': 'Yes'},
'recommendations': 'Accelerate IT transformation, allocate additional funding '
'for cybersecurity, improve threat detection and response '
'times, enhance public confidence in data security',
'references': [{'source': 'Public Accounts Committee (PAC) Report'},
{'source': 'The Register'}],
'response': {'communication_strategy': 'Advisories to legal aid providers in '
'April 2025; further updates in May '
'2025',
'containment_measures': 'Servers taken offline in May 2025, '
'injunction to prevent data publication '
'on the web/dark web',
'enhanced_monitoring': 'New threat detection system (operational '
'status unclear)',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Recovery of overpaid funds from legal aid '
'providers (25% repayment rate)',
'remediation_measures': 'Implementation of contingency measures, '
'manual processes for legal aid '
'management'},
'stakeholder_advisories': 'Daily senior-level discussions between LAA and MoJ '
'(April 23 - May 16, 2025)',
'title': "Cyberattack on the UK's Legal Aid Agency (LAA)",
'type': 'Data Breach, Cyberattack'}