Skip to main content
Marsh logo

Article

The Legal Aid Agency cyberattack — What does it mean for lawyers?

What the impact on lawyers of the recent Legal Aid Agency data breach? Understand your responsibilities, client risks, and essential cybersecurity measures.

05/06/2025 · 10 minute read

An information note produced by Marsh and CyXcel
Authors: John Kunzler, Managing Director at Marsh, and Thomas Barrett, Partner at CyXcel.

Background

On 23 April, 2025 it became clear a cyberattack had taken place on the Legal Aid Agency’s digital services as announced in the official notice issued on 19 May, 2025. The Agency has been working closely with the National Cyber Security Centre and it is now known that the attackers have accessed an extensive amount of data relating to those who have applied for legal aid using the digital service since 2010. This data is believed to include address and contact details as well as dates of birth, ID numbers, employment statuses, financial information as well as sensitive data such as criminal history.

The Ministry of Justice (MoJ), as the Government Department responsible for the Legal Aid Agency (Agency), has urged all members of the public who applied for legal aid digitally since 2010 to, “to take steps to safeguard themselves” including being alert for suspicious activity as well as changing any potentially exposed passwords and taking care to verify the identity of persons they are communicating with if they are in any doubt. But, what about the other major stakeholder in the Legal Aid relationship, the lawyers who represent those individuals?

What does the data breach mean for lawyers?

The Law Society provided an update on 27 May, 2025 and the Bar Council issued a similar statement on 23 May, 2025, covering what the incident meant for the continued operation of legal aid systems as well as providing links to the Government’s dedicated official webpage that will provide regular updates on the situation and answers to frequently asked questions.

The legal regulators are unsurprisingly dealing with several enquiries related to this incident but, at this stage, little is in the public domain whilst the matter is still being investigated.

The latest information indicates that “some financial details of legal aid providers” (such as law firms) may have been exposed, including bank account numbers and sort codes. It is, therefore, essential that those responsible for such potentially exposed accounts are extra vigilant for unusual activity following this incident.

One positive piece of news is that the official website has confirmed that the scope of the incident relates to a system that functions one way only. Providers (e.g., law firms) can send data to the Agency using it but the system doesn’t provide a return route and so the providers’ IT systems have not been put at direct risk from the incident on the Agency’s system.

It has also been clarified that there is no concern regarding the email systems of the Agency. Individuals and providers can continue to correspond with the Agency using email as they did previously.

Should providers contact individuals impacted?

Sadly, there are a number of notable similar previous data breach incidents in the legal sector, including the July 2006 fire at document storage facility Iron Mountain, the 2007 Child Benefit Agency breach and, more recently, the June 2021 cyberattack on 4 New Square Chambers. In each of those cases, the individuals affected by the breach were contacted promptly by the controllers of the data, so in addition to the Agency’s actions, should providers be doing the same this time?

This is not a simple question, and trying to imagine problems in the absence of any real claims and without the particular factual context of each provider and the information concerned, is tricky. The official Government website states that providers do not need to contact clients either as regards their contractual duties under the Legal Aid scheme or for any wider reason (seemingly such as data protection obligations). Their analysis is that the responsibility for notification falls solely on the Agency/MoJ as the independent Controller or as the nominated responsible controller of this data. 

It further notes that the MoJ notified data subjects through the public announcement on gov.uk on19 May, 2025 as well as all providers being notified by email separately. When contacted in one case, the SRA ethics online helpline has taken a similar approach stating that as “… the data breach has not been caused by the solicitor or the firms affected. There is no need to report to us. In view of this, please comply with any guidance from the ICO and from the Legal Aid Agency on this issue”.

Each provider (whether a law firm or a Barrister) will have to satisfy themselves that they are acting compliantly in relation to their various legal obligations, including data protection ones. It would be sensible to review your operating practices and consider what (if any) data shares you were a part of with the Agency and what data they involved for what purpose and what the nature of the share was. Armed with that analysis, you will be able to come to a reasonable conclusion as to whether you agree with the official website view that no further action is needed on your part in this regard. That outcome could be for example because:

  • You assess that you have not shared any relevant information in the relevant period.
  • The share was set up as a clear controller to controller share and the breach arose subsequent and separate to the transfer, such that the breach only relates to copies of information under the control of the Agency/MoJ and not to any original copies of that information controlled by you.

This approach is also what has been recommended by the SRA ethics online service, which highlighted that firms will still need, “to consider whether any further advice or guidance is required to specific clients who may be at higher risk due to their individual circumstances — we appreciate that the LAA has put out a public statement but your firm [still] needs to consider this…”.

If you are in any doubt, and in particular, if you believe there might be relevant data that is subject to joint-control between yourselves and the Agency, further investigation and due diligence checks (potentially with expert assistance) are recommended given the tight time limits on the obligation to notify the ICO and to take further action.

It is also important to check the upstream supply chain of any information that you may have provided to the Agency. Because, in addition to the general legal requirements that apply in all cases, it is far from uncommon for additional conditions to be placed on data when they are originally provided. This could be a condition built into the consent given by the individual who supplied their data to you, or it might be a condition built into a data share arrangement between you and the person/body that supplies you with this data in bulk. For example, a Barrister might have a standard data share arrangement in place with a particular law firm under which they are supplied all the material needed for the cases they work on for that firm. That arrangement might have a clause that specifically requires the recipient to notify the sending law firm of any breaches that may arise in relation to the data that is supplied. In those scenarios, the recipient is under an obligation to provide the supplier with that required notification for that data even though the general legal position is likely that they wouldn’t have to otherwise.

Guidance for notifying insurers

Firms might have to justify what they have done, not just on a data regulatory basis but on the basis of duty assumed and ongoing for such clients. In terms of notifying insurers and managing the situation for various clients potentially affected, Marsh considers the safest approach for firms is:

  1. To make cyber and professional indemnity underwriters aware that the firm continues to have Legal Aid contracts and clients and clients may be affected, but at this time there are no actual claims, and the firm has no reason to believe that claims may be made against the firm for civil liability (unless that is untrue).
  2. Ongoing clients and matters
    1. To consider and address the risk for ongoing clients (especially vulnerable, elderly, disabled, unsophisticated) who may not understand or be aware of the attack and offer appropriate warnings, and take steps to ensure communication remains secure.
    2. Bear in mind some of these people may be targeted for attack by individuals posing as “rescuers” using confidential information.
    3. Ensure appropriate warnings are sent. 
    4. Ensure fee earners are alert to the risk that identity theft and impersonation risk is more likely for this group. Where possible ensure the clients understand the extent of the risk they are exposed to given the breach. Changing passwords and watching out for unusual emails and activity is advised.
  3. Historic clients and matters
    1. It seems likely that if there is argued to be some duty or responsibility on the firm, it might be higher in relation to current clients than those for whom the firm acted many years ago.
    2. If the steps needed to identify and contact past clients are relatively straightforward, not entailing significant time or resources, then it seems more possible that there could be criticism by those who fall victim to attacks that no effort was made to warn them. 
    3. If for example the firm sends a bulletin email to clients regularly, it would not be a difficult step to send a warning as a one-off publication; some firms have put notices on their websites.
    4. There may be particular clients who are especially vulnerable and may be at higher risk due to their individual circumstances. Consider for example:
      1. A former Legal Aid Agency client who the firm knows received a significant financial settlement and is vulnerable — should they be warned?
      2. Abuse victims might find their new names and locations are leaked if these are known to the Agency; while the firm is not responsible for what has happened, we know some practitioners will have acted on repeat occasions, and always do the very best to protect such clients.
  4. Protection of the vulnerable affected should be something the Legal Aid Agency prioritises, but the duty to uphold public trust and confidence in the profession in the best interests of each client and acting with integrity may well be engaged, and action to protect the most vulnerable should be considered.

Conclusion

The recent Agency cyberattack saw personal data belonging to hundreds of thousands of legal aid applicants in England and Wales accessed and downloaded by unauthorised parties. This is yet another stark reminder of the critical need for robust cyber defences in public sector institutions. But also, of how our increasingly interlinked digital world means that cybersecurity is a team sport, even the most active and effective individuals can suffer a loss if others in their team or supply chain take a hit.

While the latest information is that providers’ IT systems and the Agency’s email systems remain secure, providers should stay vigilant for suspicious account activity. Official updates and FAQs are available on the Government’s dedicated webpage. Additionally, each provider (whether a law firm or a Barrister) should take the opportunity to consider their unique position and potential exposure here. Both in order to satisfy themselves that they are acting compliantly in relation to their various legal obligations (including data protection ones) but also as regards their obligations to their clients and insurers.

Marsh cyber risk solutions

Marsh supports clients in taking an enterprise-wide approach to building their cyber resilience.

Click to learn more

Our people

John Kunzler

John Kunzler

Managing Director

  • United Kingdom

Related insights

Businessman reading documents

Article

UK Employment Law and the Importance of EPL Insurance

09/06/2025
business people group in modern office have a team meeting and brainstorming while working on tablet or laptop presenting ideas and take notes

Video

The importance of Inclusion in Professional Services

23/05/2025
Placeholder Image

Video

Generative AI and Professional Services – Rethinking Risk

16/04/2025
Business people walking with iPad

Article

Commercial crime insurance: An “all risks” approach helps protect against emerging fraud risk

14/03/2025
View more