The UK government announced, today (19 May), that “a significant amount” of personal data belonging to thousands of legal aid recipients had been breached in a cyberattack.

The breach, identified in April, appeared to be worse than originally thought, according to a Legal Aid Agency (LAA) and the Ministry of Justice (MoJ) joint statement.

The breach took place on the LAA digital services platform on which legal aid providers log their work and receive payment from the government. The MoJ has yet to verify the reported 2.1 million records accessed, and services are currently offline.

High-profile cybersecurity incidents are increasing in frequency within both the private and public sectors. The LAA attack follows security breaches in recent months on UK retailers Marks and Spencer, Co-op and Harrods. The cyber attacks saw the companies struggle to maintain operations, as well as absorb significant business and financial losses.

Cybersecurity company EclecticIQ CEO, Cody Barrow, says the LAA attack raises urgent questions about the resilience of the UK’s cyber defences. Barrow is a former senior US intelligence official who worked across the NSA, US Cyber Command, and the Pentagon, where he advised the White House and led international cyber operations.

Unlike the retail sector and customer data attacks over the last few months, the LAA attack has compromised some of the most sensitive categories of personal information, including criminal records, national insurance numbers, and financial details, with data going as far back as 2010.

Perhaps more concerning than the attack itself is a broader pattern of “systemic weaknesses in national cyber defences”, according to Barrow. “Breaches will happen, but preventable weaknesses like unpatched systems and poor segmentation make the impact far worse than necessary.”

“If policy makers fail to address the problem, the UK will continue to see disruption of essential public services such as healthcare and local government, exposure of sensitive personal and national data, and growing recovery costs,” adds Barrow.

In addition, cybersecurity threats are becoming increasingly complex and urgent with the rise of AI. Barrow recommends: “Faster detection, smarter automation with state-of-the-art consideration for AI developments, and security built into systems from the start must become national priorities.”

GlobalData research, published in April 2025, estimates the global market for AI-based cybersecurity products was about $15bn in 2021 and will surge to roughly $135bn by 2030.

And risk is not limited to the public sector. Barrow notes: “Public sector gaps expose suppliers and contractors, disrupt shared infrastructure, and weaken confidence in the UK’s digital environment.

“Specific consequences can include risks to private companies that are part of the public sector supply chain like IT services suppliers and economic disruption if critical services are impacted. Data breaches can also impact public bodies involving business-related information, which can subsequently reduce confidence in the overall digital economy.”

The public sector has a duty to protect its citizens personal data, and yet It’s likely that vulnerabilities exist beyond just the MoJ, according to Barrow. “While I can’t speak for inner UK governmental workings, public sector IT is often fragmented with varying levels of funding, procurement maturity, and security readiness. That fragmentation alone creates uneven exposure,” he says.

Underfunding is a key factor. However, other issues contribute, including a shortage of skilled cybersecurity professionals in government positions, reliance on outdated legacy IT systems, and the need for better adoption of advanced security measures and risk management practices.

GlobalData senior public sector analyst, Rohan Gogeer, notes that the 2025 UK government’s Spring Statement saw several departments receive real-time cuts to government budgets, including the MoJ, which Gogeer says, “of course has an impact on the overall structure of the organisation and how it seeks to deal with cyber threats”.

Indeed, in March 2024, the Law Society pointed to the “antiquated IT systems” of the LAA as “evidence of the long-term neglect of our justice system”.

This corroborates GlobalData’s Public Sector Team report on the Cyber Security Gap which similarly highlights that one of the key vulnerabilities of the UK public sector’s cybersecurity capabilities lies within its legacy infrastructure.

Ultimately, individual government departments are responsible for understanding and managing their own cyber risks and developing their own digital tools. “As tech and IT systems become increasingly vital to the functioning of society and the economy, they also become increasingly valuable targets for a variety of malicious activities and actors,” says Gogeer.