KP Law is now taking on claims from individuals whose data was compromised in the Legal Aid cyber attack. Under UK data protection laws, organisations that fail to adequately protect your information can be held legally responsible.
KP Law is a specialist data breach law firm with a proven track record in securing compensation for victims of corporate cyber negligence.
On 23 April 2025, the Legal Aid Agency (LAA) suffered a serious cyberattack. While the full extent of the breach wasn’t revealed until almost a month later, on 16 May, we now know that it could have affected everyone who applied for legal aid in England or Wales since 2007.
A well-known hacker group, Scattered Spider, claims to have accessed over 2.1 million sensitive data records, including personal information submitted as part of legal aid applications. It has now also been advised that where applications involved partners of the applicant, their data may have also been accessed.
The breach is now under investigation by regulators, including the Information Commissioner’s Office (ICO).
This wasn’t a random attack. A senior government minister, who admitted that the systemic IT vulnerabilities at LAA were known and ignored, has stated:
“They knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act.”
Given the sensitive and confidential nature of the information held by the LAA, this is very hard to believe, however much it is true; and we believe this failure amounts to a clear breach of data protection law. If your personal data was exposed, you have a legal right to pursue justice and compensation.
You applied for legal aid in England or Wales at any time since 2007
You’ve received a breach notification from the LAA
You’re concerned your personal data may have been exposed
You don’t need to prove financial loss — the emotional impact of the breach (such as stress or anxiety) could still qualify you for compensation.
The type and sensitivity of your data
Any emotional distressed caused
Risk of fraud, identity theft or reputational damage
If the breach caused more serious psychological harm, your compensation could be higher.
KP Law, a leading UK data breach law firm, is investigating the Legal Aid data breach and is preparing a group action on behalf of affected customers. If you believe your personal data was compromised, you may be entitled to compensation. KP Law has extensive experience in handling data breach cases and is committed to holding companies accountable for failing to protect customer information.
We’re acting on a “no win, no fee” basis — so you won’t pay us a penny unless your claim succeeds.
At KP Law, we’re committed to holding the Legal Aid Agency accountable and securing justice for every person whose data was put at risk.
While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:
With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.
GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.
See our answers to the FAQs we get asked about the Legal Aid Data Breach.
The Legal Aid Agency became aware of a cyber attack on the 23rd of April 2025. By May, it became clear that the breach was far more extensive than expected, with the incident potentially affecting everyone who accessed legal aid through digital platforms since 2007.
Since the breach, the government has admitted the Legal Aid Agency IT software was not fit for purpose and has been extremely vulnerable to attack for years.
An injunction has been put in place to stop anyone publishing the personal information, and there is no evidence that the data has been published anywhere yet.
The UK Gov released the following statement on the data breach:
“On Wednesday 23 April, we became aware of a cyber-attack on the Legal Aid Agency’s online digital services.
These are the services through which legal aid providers log their work and receive payment from the Government.
In the days following the discovery, we took immediate action to bolster the security of the system, and informed all legal aid providers that some of their details, including financial information, may have been compromised.
Since then, we have worked closely with the National Crime Agency and National Cyber Security Centre as well as informing the Information Commissioner.
On Friday 16 May we discovered the attack was more extensive than originally understood and that the group behind it had accessed a large amount of information relating to legal aid applicants.
We believe the group accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service between 2007 and 16 May 2025 when the systems were taken offline.
This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments. In some instances, information about the partners of legal aid applicants may be included in the compromised data.
We would urge all members of the public who have applied for legal aid in this time period to take steps to safeguard themselves. We would recommend you are alert for any suspicious activity such as unknown messages or phone calls and to be extra vigilant to update any potentially exposed passwords. If you are in doubt about anyone you are communicating with online or over the phone you should verify their identity independently before providing any information to them.
An injunction has been put in place to prohibit sharing of this data. Anyone who does so could be sent to prison.
Further information on how to protect yourself from the impact of a data breach can be found on the NCSC website.“
The Legal Aid Agency should be in touch to notify affected individuals.
Anyone who thinks they might be involved should take immediate steps to protect themselves. Find out how to do this here.
If you receive notification that you are affected by the Legal Aid Agency data breach, register to receive updates on our investigation. We’ll let you know what’s happening, and if and when you can make a data breach compensation claim.
A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions, multi-claimant, or multi-party actions.
There are no costs to join our claim. However, if your claim is successful, you may have to pay a ‘success fee’. This fee is taken from the compensation awarded to you. At KP Law, our success fee is competitive, and we make sure you are fully informed about any potential costs before you officially join our action. If you lose, you won’t have to pay a penny.
