Legal Aid Agency Cyberattack Exposes Sensitive Data

Wayne Cleghorn, a Partner specialising in Data Protection, Cybersecurity, and Artificial Intelligence at Excello Law, contributed expert commentary to a recent article in Security Brief discussing the significant cyberattack on the UK’s Legal Aid Agency (LAA).

The breach, discovered on April 23, 2025, compromised sensitive personal data of legal aid applicants in England and Wales, including contact details, national insurance numbers, financial information, and criminal records dating back to 2010. While the exact number of affected individuals remains unconfirmed, reports suggest that up to 2.1 million records may have been accessed by unauthorised parties.

In the article, Cleghorn emphasised the escalating threat of cyberattacks across all sectors, stating, “Cyberattacks of all kinds are rising. Any type of organisation can be a victim. The urgent response is to go back to basics: check key data protection practices, review GDPR compliance, strengthen basic information security safeguards and encourage important suppliers to be on high alert.”

He further highlighted the long-term risks associated with such breaches, noting, “The problem with data breaches of highly sensitive and special category data is not just the immediate exposure and vulnerabilities caused; it is the unknown future nefarious uses of the stolen data, which can be surprising and very harmful to all involved.”

The incident has sparked widespread concern over the adequacy of cybersecurity measures within government agencies. Edward Lewis, CEO at cyber consultancy CyXcel, criticised the tendency to attribute cybersecurity failings to historical underinvestment, asserting, “It’s easy to blame past governments for underinvestment in creaking IT systems. But this government has been in power for nearly a year. Trying to deflect responsibility is both disingenuous and dangerous. Protecting people’s data isn’t a historical obligation, it’s a current one.”

In response to the breach, the LAA has taken its online services offline and is collaborating with the National Crime Agency and the National Cyber Security Centre to investigate the incident and enhance system defenses. Authorities are also reviewing IT systems, auditing third-party security practices, and reassessing adherence to the General Data Protection Regulation (GDPR).

For more detailed information, you can read the full article on Security Brief: