TL;DR
The Ministry of Justice allocated £50 million to strengthen cybersecurity at the Legal Aid Agency, but a breach that began in late 2024 was not detected until April 2025. A Public Accounts Committee report highlights gaps in detection, delays in response, and ongoing questions about funding and remediation.
What happened
A Public Accounts Committee report found that the Ministry of Justice (MoJ) had channelled £50 million into improving cyber defences at the Legal Aid Agency (LAA) after the agency's cyber risk was rated "extremely high" on its risk register from 2021. The funding was delivered in three tranches of roughly £8.5m, £10.5m and £32m. Despite this investment, the intruders' first known access occurred on December 31, 2024, but the incident was not detected until April 2025. Some of the planned spending — drawn from the £10.5m round — funded a new threat-detection system that later identified the intrusion, but the report does not confirm when that system became operational. The LAA continued to discuss whether to keep servers online while assessing risk; servers were ultimately taken offline on May 16, 2025. Initially the agency believed only provider financial details were affected, but later concluded that a larger volume of data, potentially including legal aid applicants, had been accessed. During contingency operations the LAA issued average monthly payments to providers and is recouping those sums over time.
Why it matters
- Major cyber risk remained unresolved despite substantial investment, raising questions about program effectiveness and oversight.
- Delayed detection and a slow shutdown increased the period during which sensitive data may have been exposed.
- Interruption and manual fallbacks had significant operational and wellbeing impacts on legal aid providers and staff.
- The incident may require further MoJ funding to complete a full IT transformation and rebuild public confidence.
Key facts
- The MoJ allocated £50 million to improve security at the Legal Aid Agency.
- Funding was provided in three rounds: about £8.5m, £10.5m and £32m.
- The LAA's cyberattack timeline: first known intrusion on December 31, 2024; detection in April 2025; servers taken offline on May 16, 2025.
- The LAA's cyber risk had been on its risk register since 2021 with an "extremely high" rating.
- Part of the £10.5m funding round paid for a new threat-detection system that later identified the breach; the report does not state when the system went live.
- Initially the agency believed only legal aid provider data — including some financial details — were affected; later investigations showed attackers accessed a larger volume of information, potentially including applicants' data.
- During contingency operations the LAA made average payments to providers based on the prior three months' averages and is recouping those sums at 25% of the payment speed.
- MoJ permanent secretary Jo Farrar told the committee additional funding may be needed to fully transform the LAA's IT estate; acceleration depends on budget allocation decisions.
- The Public Accounts Committee criticised the MoJ's handling of this incident alongside broader failings at HMP Dartmoor.
What to watch next
- Clarification from the MoJ on the exact date the new threat-detection system became operational — not confirmed in the source.
- Decisions on additional funding and whether the LAA's IT transformation will be accelerated through the MoJ's allocation process — not confirmed in the source.
- Further findings on the full scope of compromised data and the outcomes of ongoing investigations and legal remedies, including the injunction's effectiveness — not confirmed in the source.
Quick glossary
- Legal Aid Agency (LAA): A UK public body that administers civil and criminal legal aid, paying providers and managing related systems.
- Public Accounts Committee (PAC): A parliamentary committee that examines government expenditure, performance and value for money.
- Risk register: A document or system for recording identified risks, their severity, and planned mitigations within an organisation.
- Threat-detection system: Technology or software designed to identify malicious activity, intrusions, or anomalies on a network or IT estate.
- Injunction: A court order that can restrict publication or dissemination of information while legal or investigative processes continue.
Reader FAQ
When did the breach start and when was it detected?
According to the report, the first known intrusion occurred on December 31, 2024; it was detected in April 2025.
Did the £50m investment prevent the attack?
The report shows the investment did not prevent the intrusion being established months before detection.
Was personal applicant data exposed?
The LAA initially thought only provider data was affected but later found the attackers had accessed a larger volume of information, potentially including applicants' data.
Will the MoJ fully replace the LAA's IT systems?
The MoJ said the LAA will likely need more funding for a full transformation, but acceleration depends on future budget allocation decisions.
CYBER-CRIME Ministry of Justice splurged £50M on security – still missed Legal Aid Agency cyberattack High-risk system compromised long before intrusion was finally spotted Connor Jones Wed 7 Jan 2026 // 12:28 UTC The…
Sources
- Ministry of Justice splurged £50M on security – still missed Legal Aid Agency cyberattack
- MoJ spent £50M on security at Legal Aid Agency before …
- Legal Aid Agency cyber security incident: frequently asked …
- Legal aid hack: data from hundreds of thousands of people …
Related posts
- Roblox now requires video selfies from children aged nine for age checks
- Jaguar Land Rover wholesale volumes fall 43% after cyberattack disruption
- Greenland’s Hidden Mineral Wealth Under the Ice: History, Risks, and Hurdles