Legal aid hack: what to do if you think your data has been stolen
The government's Legal Aid Agency, which provides civil and criminal legal aid and advice in England and Wales, has experienced a data breach.
The Ministry of Justice (MoJ) has said that everyone who applied to the Legal Aid Agency since 2010 has potentially had their personal data accessed.
This data includes criminal records, contact details, home addresses, dates of birth, national insurance numbers, criminal history, employment status and financial information.
Below, we explain what to do if you think your data has been stolen.
Legal aid hack
The Legal Aid Agency first became aware of an attack on 23 April 2025.
The organisation that carried out the attack claims to have accessed 2.1m pieces of data. However, the MoJ hasn't confirmed this.
Vulnerabilities in the Legal Aid Agency's systems are thought to have allowed the cyberattackers to gain access to its systems.
Legal Aid Agency's online services have been temporarily taken down, and it is working with the National Cyber Security Centre to 'bolster the security' of its systems.
Beware of attempted scams
Anyone who has applied for legal aid since 2010 should be wary of potential scam texts, emails and calls, and they are advised to change passwords on associated accounts.
If you've applied to the Legal Aid Agency since 2010, fraudsters may use your data to target you with a scam or steal your identity.
These scams may purport to be from the Legal Aid Agency and go on to ask you for more personal and financial information. So if you do receive any communications along these lines, ignore them until you can verify their legitimacy. The official contact details for the Legal Aid Agency can be found on its website.
Fraudsters could also leverage other information they have on you to attempt to con you. For example, if they know who you bank with, they could impersonate your bank in a scam call. If you receive an out-of-the-blue call claiming to be from your bank, hang up and call it back on a trusted number.
The more information a fraudster has on you, the more they can craft convincing scam messages that attempt to con you - this is known as spear-phishing.
- Find out more: What is spear-phishing?
Sign up for scam alerts
Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.
Sign up for scam alerts
Protecting yourself from fraudsters
If your data has been exposed in any breach, you should change your account passwords. You should also take the opportunity to make sure you use a secure (strong and unique) password, and use a password manager to organise and securely store them.
You should also check your credit report with the three main credit agencies - Call Credit, Experian and Equifax - to ensure that accounts haven't been opened in your name. As well as this, keep an eye on bank accounts for any unusual activity.
Your rights after a data breach
Organisations must tell you as soon as possible that your data has been potentially accessed as part of a data breach. It should also give you an overview of what's most likely to happen as a consequence of the breach and how it's handling the incident.
You should also be given the name and contact details of the organisation's data protection officer.
You may be able to claim compensation from the organisation that suffered a data breach if the theft of your data leads to financial damage or distress.
To do this, you must initially contact the organisation and explain the issues you've dealt with due to the loss of your data and how you expect to be compensated.
The Information Commissioner's Office (ICO) can also play a part in you being awarded compensation. Although it can't award the compensation itself or advise on the amount, it can give you an opinion as to whether the organisation breached the General Data Protection Regulation (GDPR).
If you and the organisation don't reach a satisfactory resolution, you can make a claim via the small claims court, and the ICO's opinion can be used as evidence.
