The data breach that led to the closure of the Legal Aid Agency’s (LAA) online application and payment portal has been revealed to be more severe than initially believed, with personal data dating back to 2007 now thought to have been accessed. 

The LAA portal was taken offline in May, after the Ministry of Justice (MoJ) discovered that sensitive information belonging to legal aid applicants had been compromised. At the time, officials believed the breach had affected data from 2010 onwards. 

A recent update on the issue confirmed that further investigations suggest that information going back as far as 2007 may also have been accessed, along with data relating to applicants’ partners. The revelation extends the potential exposure by three years beyond the original estimate. 

The breach has already caused significant disruption for legal aid practitioners, who have been navigating the LAA’s contingency measures for months. 

New Portal Due in Autumn 2025 

Providers were informed recently that a replacement system is scheduled to launch in September 2025. The MoJ described it as a new “identity access management solution,” although details on which services will be available at launch still remain unclear. 

The ministry said restoring core services, such as the benefits checker, is a priority and will be rolled out in phases. 

Scrutiny From Parliament 

The house of Commons justice select committee has confirmed it will examine the LAA and MoJ’s handling of the cyber attack as part of its wider access to  justice inquiry. 

Committee chair, Andy Slaughter has submitted parliamentary questions to ministers, pressing for details on issues ranging from means test reforms to whether the old system is being rebuilt or replaced entirely. 

Justice minister, Sarah Sackman told MPs that the breach had disrupted planned legal aid fee uplifts and that the department was “working at pace” to deliver on those commitments. She was unable to confirm when the system would be fully restored. 

Concerns Over IT Systems 

Law Society president, Richard Atkinsons criticised the continued reliance on outdated IT systems, warning that holding data as far back as 18 years on vulnerable infrastructure posed a major risk. 

First reported in the Law Society Gazette, he stressed that a fully operational portal was needed urgently to avoid forcing more firms out of legal aid work – work he described as crucial for preventing homelessness and providing stability in family separation cases. 

Atkinson also called for compensation for the unpaid administrative burden placed on firms since the attack, as well as for the backlog of materials they will need to upload once the new system is live. 

The Law Society has raised this issue directly with government officials.