More than two months after a major cyber-attack crippled the Legal Aid Agency’s (LAA’s) digital infrastructure, core services remain offline, prompting emergency legal reforms and exposing systemic fragilities in one of the justice system’s most vital administrative arms.
In a written statement to Parliament today, Sarah Sackman, Minister of State for Courts and Legal Services, confirmed that a statutory instrument—The Criminal and Civil Legal Aid (Amendment) Regulations 2025—will come into force tomorrow to preserve continuity of service.
The changes grant temporary delegated powers to legal aid providers and waive financial contributions from clients, but they also lay bare the scale of the disruption: key civil legal aid systems have yet to be restored.
“We now need to go further,” the Minister said, “because some LAA digital services, especially those covering civil legal aid, remain offline.”
The cyber-attack, discovered on 23 April and later revealed to be far more extensive than first understood, exposed sensitive personal and financial data of legal aid applicants dating back to 2010. The breach is understood to involve names, addresses, national insurance numbers, criminal records, and financial details. The data is believed to have been downloaded by a hostile actor, though the Ministry of Justice has obtained an injunction against its dissemination.
“What this particular incident shows is that cyber attacks can cause disruptions that last way longer than expected,” explained David Warr (main picture), QBE Insurance Portfolio Manager for Cyber. “A platform that involves a variety of external stakeholders can be harder to restore than an internal system.”
The LAA took the unprecedented step of taking its entire online platform offline to prevent further data loss, and has since relied on a patchwork of phone lines, email correspondence and temporary workarounds to process legal aid claims. Legal aid providers have, in effect, been operating without a functioning back office for nearly ten weeks.
“That is why organisations looking at enhancing their online security must look at their whole ecosystem,” Warr told Insurance Business. “They need to check their whole supply chain. In a world where organisations are interconnected, vulnerabilities are also interconnected. That is what organisations must work on to improve their cyber resilience.”
The statutory instrument introduced today is a stopgap, designed to address a backlog of both civil and criminal legal aid matters that cannot currently be administered through standard systems. It temporarily waives income and capital contributions from clients, and empowers providers to amend or withdraw funding certificates, including those for Licensed Work—a task usually reserved for the Legal Aid Agency itself.
For criminal cases, providers are now authorised to issue representation orders and make related eligibility assessments in certain straightforward scenarios, such as where the client is unemployed or under 18. Payment for new work undertaken since the system’s collapse will also be honoured, even if an application could not be formally submitted.
Despite the reforms, the Agency’s core systems are not yet functioning. The LAA has resumed some payment processing and urgent application reviews, and criminal applications for Crown Court matters are again being accepted, but the digital backbone of civil legal aid—through which firms submit cases and receive compensation—remains compromised.
The changes come amid rising unease among providers. While officials insist they are “working hard on stabilising the LAA’s systems,” legal aid firms face mounting administrative and financial strain. Many are forced to process sensitive client information manually and navigate hastily constructed emergency procedures while remaining unsure when systems will return.
Jane Harbottle, the Agency’s Chief Executive Officer, acknowledged the profound impact of the breach. “It has become clear that to safeguard the service and its users, we needed to take radical action,” she said in a prior update. “That is why we’ve taken the decision to take the online service down.”
The incident has renewed scrutiny of government digital resilience, particularly given the sensitive nature of the data handled. With the LAA’s systems down, thousands of applicants—many of whom are vulnerable or engaged in high-stakes legal proceedings—are now navigating legal aid access without digital safeguards, raising concerns about both security and access to justice.
Legal professionals have broadly welcomed the regulatory flexibility but remain concerned about the long-term implications. The absence of a definitive timeline for restoration has added to frustration in the sector, and questions persist over how the Agency’s cyber defences were compromised and why detection took weeks.
The Ministry of Justice has confirmed that the National Crime Agency and the National Cyber Security Centre are involved in the ongoing investigation.
In the meantime, legal aid providers, already working under cost pressure and a shrinking footprint, are left to carry the burden of the crisis. With core systems still disabled and only temporary measures in place, the statutory instrument may be a necessary intervention—but it is no substitute for full operational recovery.
As Sackman acknowledged in her statement, these measures are “designed to ensure... system stability until digital operations can be restored.” For now, that restoration remains a hope rather than a reality.
