Guidance

Legal Aid Agency cyber security incident: frequently asked questions

Frequently asked questions about the Legal Aid Agency cyber security incident.

From:
Ministry of Justice and Legal Aid Agency
Published
22 May 2025
Last updated
23 July 2025 — See all updates

Applies to England and Wales

Data breach

Who might have been impacted by this breach? [added 22 May 2025]

We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010.

This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.

What provider information has been breached? [added 22 May 2025]

We communicated to legal aid providers on 30 April that we believe that some financial details of providers may have been exposed including bank account numbers and sort codes. We have recommended providers remain vigilant for any unusual activity on their accounts.

What steps should I take to protect myself? [added 22 May 2025]

We would recommend anyone who believes they could be involved in this data breach to take steps to protect themselves. This includes being alert for any suspicious activity, messages or phone calls and taking steps to update passwords. If in doubt about anyone you are communicating with online or over the phone, make sure to verify their identity independently before engaging further with them. The National Cyber Security Centre’s webpage contains information on how to protect yourself from the impact of a data breach. The webpage can be found at https://www.ncsc.gov.uk/guidance/data-breaches

Are provider IT systems at risk? [added 22 May 2025]

There is no direct risk. There is no direct connection from Legal Aid Agency (LAA) systems to any provider system – it is a one-way provider to LAA connection only.

There is no contractual obligation on providers to report this incident to the Information Commissioner’s Office (ICO) or to inform clients. The data impacted by this incident is either owned by the LAA or is considered Shared Data within the definition of the contract. The contract at clause 16.3 of the standard terms sets out that the responsibilities of the data controller will be exercised by the party in possession of the data – in this case by the Ministry of Justice (MoJ) as the data controller for LAA. MoJ notified the ICO of the incident and notified data subjects through the public announcement on GOV.UK on 19 May. 

Why is the Portal offline? [added 22 May 2025, updated 27 June 2025]

Further to LAA notifications, the GOV.UK statement posted on 19 May 2025 explains why the Portal is offline. Visit Legal Aid Agency cyber security incident to view the latest updates and contingency measures.

Guidance for clients and providers is available at: Legal Aid Agency cyber-security incident.

Civil applications

Applying for substantive applications where emergency representation has expired [added 2 July 2025]

Emergency representation granted under delegated functions now includes a 16-week time limit and £4,500 costs limitation. These limitations will apply to emergency representation granted under delegated functions where the LAA is yet to make a substantive determination. Limitations on substantive determinations are effective from the date of the emergency representation determination, meaning funding will be continuous from the date of delegated functions where the LAA issues a substantive certificate. Providers can amend limitations under emergency representation where the work is completed within the 16-week limitation. 

Where emergency representation has been granted by the LAA and not under delegated functions, providers can use the CIVAPP8 form to apply for amendments where further urgent work is required. 

In cases where the 16-week limitation has expired providers can submit a substantive application. Please note, we will require a CIVAPP1 (non-family) or CIVAPP3 (family) and the relevant Financial Assessment form(s). Substantive applications cannot be made using the CIVAPP8 form. 

What are the time limits on emergency certificates if providers used delegated functions before the changes on 27 June 2025? [added 2 July 2025] 

New emergency time limits of 16-weeks apply to all cases where the provider has used delegated functions to grant funding (and emergency representation is still in place) regardless of when the determination was made, if this was initially 8-weeks providers now have the power to extend emergency time limit up to 16 weeks.

Is Secure File Exchange via Galaxkey still operational? [added 27 May 2025]

Yes, the Secure File Exchange, via Galaxkey is operating as normal.

How can I progress Exceptional Case Funding (ECF) controlled work applications? [added 30 May 2025]

You can continue to submit ECF controlled work applications in the usual way. For urgent cases, please contact us on ContactECC@justice.gov.uk. In circumstances where you would ordinarily use CCMS, please submit an urgent application using the appropriate application forms and submit to this email address. Guidance on the forms to use is available at this link: Legal aid: apply for exceptional case funding.

What can providers do if they believe the LAA has made a mistake on a Civil Contingency Application or Amendment? [added 13 June 2025]

Providers can use Civil Application Fixer (applicationfixer@justice.gov.uk) if they believe we have: incorrectly rejected or refused, not considered the information provided, asked for documents or information already provided or granted an incorrect cost limitation. We will only review the decision based on the information submitted originally. You must submit an appeal if you wish to provide new information. When emailing this service please provide the contingency reference number and also details of why you believe an error has been made with any supporting evidence. We aim to review submissions within 24 hours (Monday to Friday). We will then rectify any errors at the earliest opportunity. If we believe, based on the information provided, the decision was correct, we will ask you to follow the appeal and review route for challenging a decision.

Civil billing

Providers should continue to submit escape fee claims via Galaxkey and email. These will continue to be processed by LAA for payment under the normal timeline. Providers can continue to submit escape fee claims if they have not been uploaded onto CWA due to the Portal outage. 

How does the current incident impact on Housing Loss Prevention Advice Service (HLPAS) payments? [added 22 May 2025, updated 27 June 2025]

HLPAS payments will be paid as normal. Claims made as part of the CWA contingency submission by 20 June will be paid on or before Monday 7 July. Claims made as part of the CWA contingency submission by 20 July will be paid on or before Monday 4 August.

Claims made on spreadsheet can continue to be submitted in the usual manner. Your payment will be picked up on the next payment run after receipt and processing which may result in you receiving your payment earlier than you currently do.

How should I account for Escape Cases in my Legal Help / Crime Lower monthly submission? [added 4 June 2025]

Guidance is provided in the monthly submission form, available for download at: Legal Aid Agency Contingency Monthly Contract Submission (MS Excel Spreadsheet, 38.2 KB), on what to include in your total claim figure. The totals reported for your monthly submission must not include any adjustment for Escape Cases regardless of whether they have been submitted for assessment. Escape Cases will be processed as usual and the LAA will make an adjustment to the monthly payment to account for any additional sums due for Escape Cases that have been assessed during the month.

Crime applications 

Crime applications: General

Transfers will operate largely as they do now as set out in the Criminal Legal Aid Manual (CLAM) at Section 7.1. If the transfer is of a Representation Order that was issued by a provider using devolved powers (and following transfer the case will continue to meet the criteria for the use of devolved powers) then there is no requirement to inform the LAA of the transfer decision made by the court. The receiving firm should simply use the existing templates to issue themselves a Representation Order. 

The regulations require that a Representation Order is sent out in all cases, and so this requirement applies to the stockpiled cases as well as ongoing cases.  

Can providers record the time for filling out the Representation Orders templates? [added 21 July 2025] 

5.55 of the Standard Crime Contract Specification Standard Crime Contract Specification states: “You may charge for work done in the exercise of Delegated Functions and recording of such exercise”, although we recognise that this will only make a difference to the fee claimed in limited circumstances. 

If Firm A was acting for the defendant, they effectively exercised their devolved powers to grant a Representation Order, even if the internal administrative processes had not yet been completed. If Firm A wishes to make a claim under paragraph 10.93 of the Standard Crime Contract 2022 Specification, then Firm B must apply to the court for a transfer of the Representation Order.

In this situation, the provisions for an urgent transfer may apply (see section 7.1.2 of the Criminal Legal Aid Manual). Since the Legal Aid Agency (LAA) had not issued the initial Representation Order, the court does not need to notify the LAA of the transfer.

Where a provider received a date stamp on 16 April but was waiting to submit the application for a Representation Order pending receipt of the client’s NI number when the portal went down, can they now exercise devolved powers and grant a Representation Order (criteria is satisfied) from the date stamp date? [added 21 July 2025] 

For applications date stamped in Crime Apply before 7 May 2025 but not submitted, providers will need to email a CRM14 (and CRM15 where required) for the LAA to process. Please tell us on the application about the date stamp you obtained in Crime Apply and the LAA will backdate any Representation Order to this date. 

For any applications date stamped in Crime Apply on or after 7 May 2025, when the delegated powers were implemented, and the criteria are satisfied, then providers can exercise those powers and grant a Representation Order. 

Is there a deadline by when providers need to submit stockpiled applications to the LAA (Crown Court and defendants who are employed, self-employed, a director or is living off savings)? [added 21 July 2025] 

These will be accepted for the foreseeable future however for Crown Court applications it is in your interests to submit these at the earliest opportunity. Without a Crown Court representation order from the LAA you will be unable to apply for prior authority or claim any interim payments. 

A crime contingency section has now been added: Crime Contingency – Legal Aid Learning 

Guidance on the incident webpage states that  where exercising devolved powers, crime providers must provide a copy of the Representation Order to the client. Where the Provider incurs costs of postage to do so, can they claim these as a disbursement, given these are expenses that would not normally have to be incurred? [added 21 July 2025] 

It is envisaged that this would normally happen during routine correspondence with the client or at a physical hearing and so cannot be claimed separately. 

On the Representation Orders that firms have been provided with - what should they populate the ASN, ASN Seq and URN fields with? [added 23 July 2025]  

We previously updated the Representation Order templates to remove the ASN field as this is not needed. Similarly, the ASN Seq field has also now been removed so that only the offences and date of each offence need to be listed. Please use Version 3 of the templates available on the incident webpage. The URN is the Unique Reference Number used in the Common Platform. 

When access to systems has been restored will providers be required to submit all self-granted applications onto Crime Apply? Providers are retaining records of self-grant and using 900900 but it will be onerous for providers and LAA staff alike, if they are required to retrospectively apply for funding. [added 23 July 2025]  

Providers do not need to submit any self-granted applications, either now or when Crime Apply becomes available.

Crime applications: Financial eligibility 

For stockpiled magistrates’ court applications that now fall within the delegated powers, do providers need to get proof of passporting benefit or can they claim based on the info they had at the time they signed their client up for funding? [added 21 July 2025] 

Providers do not need to gather any evidence of a passporting benefit for cases where they were instructed before 16 July 2025.

Do firms need to try and obtain evidence of a passporting benefit for any case that remains live? [added 21 July 2025] 

The onus on providers to try and obtain evidence of passporting benefits will only apply to cases where providers are newly instructed from 16 July 2025 onwards.

What steps should a provider follow where it is not possible to obtain evidence of a passporting benefit from a client? [added 21 July 2025] 

If evidence of a passported benefit cannot be obtained or is not provided despite a chaser, the applications should be assessed as non-passported. For a non-passported case, a provider only needs to gather details of the name, amount and frequency of benefit payments and use this to complete the online means calculator (https://www.gov.uk/guidance/criminal-legal-aid-means-testing). In line with existing requirements, providers do not have to obtain evidence of a non passported benefit. 

Note: if a case is treated as non-passported, it does not need to be emailed to the LAA on a completed CRM14. The only cases that need to be submitted remain those where the defendant is employed, self-employed, a director or living off savings or if the case progresses to the Crown Court. 

Should providers still be seeking to obtain a National Insurance number (NINO) from each passported client? [added 21 July 2025]

It has always been a mandatory requirement for providers to obtain a NINO for any defendant who is in receipt of a passported benefit (with certain exceptions set out in CLAM). This requirement remains in place. It is necessary to enable retrospective confirmation that a defendant was in receipt of the benefit claimed. It is important to note that this checking will not lead to the recoupment of any claims paid, where a good faith and proportionate approach has been demonstrated to implementing the contingency processes in line with the guidance. This checking is, however, essential for us to assess the impact of the contingency arrangements, and the extent of any errors. 

Do providers still need to obtain proof of passported benefits where the client is in court custody? [added 21 July 2025] 

For applicants who are in court custody and claim to be in receipt of a passported benefit, these applications can be automatically passported and do not have to provide their/partner’s NINO. The LAA appreciates the difficulties that applicants are likely to have accessing this information in these circumstances. (NINOs continue to be mandatory for all other applicants as per the normal process). 

What evidence is required to show receipt of a passported benefit? [added 21 July 2025]

Evidence of receipt of a passported benefit (Income Support, Universal Credit, Income-related Employment Support Allowance, Income-based Job Seekers Allowance and Guaranteed State Pension Credit) would be satisfied by one of the following: 

  • A recent bank or building society statement showing transactions during the calculation period (within the last 3 months) – the benefit type must be specified on the statement.
  • A benefit notification letter dated within 3 months.
  • A benefit notification letter older than 3 months supported by a recent bank statement i.e. showing transactions during the calculation period.
  • A screenshot of the payments from the universal credit online account.
  • Additional guidance that may help obtaining evidence direct from DWP Get a proof of benefit letter - GOV.UK

If the client can only provide a bank statement which does not specify the type of benefit, the provider should process the applications as a non-passported benefit (‘benefits bypass’) as previously referred. 

Guidance on benefit income can be found in CLAM, including the regular payment amount at Annex S of the Criminal Legal Aid Manual. Any applications sent to the LAA continue to follow the usual evidence requirements. 

Please note, if the evidence of Universal Credit shows a payment of zero, the applicant is not in receipt of a UC payment and should therefore not be assessed as passported. 

Crime applications: Interests of Justice test 

What happens if a provider grants a Representation Order for an Either Way matter that they think will remain in the magistrates’ court, but the magistrates’ court decide it should go to the Crown Court (for trial) at a hearing, after they have granted the Representation Order?         

The Representation Order template covers the magistrates’ court work only. If an Either Way case is committed to the Crown Court for trial, providers will need to apply for the Crown Court work by emailing in a completed CRM14/15, as they will need a Representation Order covering the Crown Court to claim for the work done. 

What evidence should providers retain on file to evidence that the Interests of Justice (IOJ) test has been satisfied with self-granted applications? [added 21 July 2025] 

Providers should keep a note of IOJ reasoning on file along with full details of the client’s means (including all relevant evidence). For all applications as part of the contingency, IOJ justification should be provided in line with the Widgery criteria, whether that is on file or part of an application to LAA. 

It is also recommended that providers complete a copy of the CRM14/15 and keep this on file for this purpose, although this is not mandatory.

Crime billing

How should I account for Escape Cases in my Legal Help / Crime Lower monthly submission? [added 4 June 2025]

Guidance is provided in the monthly submission form, available for download at: Legal Aid Agency Contingency Monthly Contract Submission (MS Excel Spreadsheet, 38.2 KB), on what to include in your total claim figure. The totals reported for your monthly submission must not include any adjustment for Escape Cases regardless of whether they have been submitted for assessment. Escape Cases will be processed as usual and the LAA will make an adjustment to the monthly payment to account for any additional sums due for Escape Cases that have been assessed during the month.

How do I make a claim for Crime Hardship payments? [added 4 June 2025, updated 27 June 2025]

Providers are referred to the Crown Court Fee Guidance and Litigator fee claim forms and guidance for details of hardship and interim claims.

Graduated fee (Litigators’ Graduated Fee Scheme (LGFS) and Advocates’ Graduated Fee Scheme (AGFS)) claim assessment recommenced with payments resuming the week commencing 2 June. Claims for hardship should be discussed with your Contract Manager.

Can I include a claim in my Crime Lower monthly submission for a case that has completed but where no Representation Order has been granted yet due to the Portal outage? [added 5 June 2025, updated 17 June 2025]

Yes. If your application relates to a Summary Only / Either Way matter in the magistrates’ court, please assume that the application will be granted. 

When our internal systems become available again, you will need to submit these applications. 

When assessing your application, if we determine that the case should not have been granted, the caseworker will authorise legal aid from the date of the initial stamp (which you will confirm to us) until the date your application is reviewed. At that point, a withdrawal of legal aid would occur. This process will enable you to claim for any costs incurred during this period.

We understand that you will not have a Representation Order. A note on the file referring to the incident will be sufficient for audit purposes.

As you will not have received a MAAT number for these cases, please use 900900 as a dummy MAAT number when claiming. Please note that while current MAAT numbers are 7 digits, 900900 is a valid MAAT number and will be accepted. This is essential to ensure that it is clear that your claim is a contingency claim, and allows us to track and monitor these.

What date will my CRM4 be granted from, the date of submission or the date of decision? [added 22 July 2025] 

Our pre-incident process was to grant based on the date of decision. This worked because we were able to process electronic applications within 1 to 2 days. As a result of the email based contingency currently in place, turnaround times are now approximately 8 days (at the time of writing), and we have had feedback that using the date of decision for CRM4s is causing difficulties for some providers. As a temporary measure, prior authority grants will now be backdated to the date of submission. This will be the date the fully completed CRM4 and all necessary information is received by email. If further information is requested, the grant will be effective from the date that further information is provided. Once systems are reinstated and our turnaround times have fallen to more usual levels, we will revert to our previous approach. Please note that we remain unable to grant retrospective CRM4s.  

To ensure that your CRM4 application can be processed first time, please make sure you provide the following: 

  • A fully completed CRM4 form. Please ensure a Unique File Number is provided, along with details of why the expenditure is sought
  • A quote from the expert, containing a breakdown of the requested hours and hourly rate, as well as their postcode
  • Alternative quotes if the hourly rate is higher than the prescribed rates, or the number of hours is higher than typically expected

What can help with assessment if I am claiming a Committal for Sentence fixed fee on a case where no MAAT number has been provided? [added 23 July] 

  • Please claim the case on CCCD using the dummy number 4900900.  
  • Provide a copy of the manual representation order issued by the solicitor, or confirm in the additional information section if the representation order was self-granted. 
  • If you are making an Advocates claim, please also provide an attendance note as this will enable an accurate assessment on initial submission.

Ministry of Justice schemes 

No, the Qualified Legal Representative scheme is unaffected and claims can be submitted as normal. 

Payments

Will BACS statements continue to be sent following each payment run? [added 4 June 2025]

BACS statements will continue to be printed and posted out as usual after each payment, as will the Provider Statement of Account (PSOA) that are sent out at the end of each month.

Following contact from the LAA, His Majesty’s Revenue and Customs (HMRC) has updated its guidance on the VAT and Debt customer support lines including ‘time to pay arrangements’ acknowledging that HMRC is working with the LAA.

Individual practitioners who are concerned about their ability to meet a VAT bill deadline as a result of delayed legal aid payments should contact HMRC individually.  

HMRC VAT Helpline: 0300 200 3700

Communications

All legal aid providers (contracted solicitors and barristers) registered on the LAA Portal  receive regular email updates. Please check whether your spam filters have blocked incoming emails from the LAA. You will need to ensure you are able to receive messages from communicationsdepartment@justice.gov.uk and legalaidbulletin@labulletin.org.uk to ensure that you receive future correspondence. If you think you are not receiving LAA emails please speak to your LAA Contract Manager, or for members of the independent Bar, please contact the LAA Customer Services Team on 0300 200 20 20 in the first instance to ensure that your correct details are on file.

Can I correspond with the LAA by email? [added 22 May 2025]

Yes, there is no concern with email communication.

Other

In relation to Judicial Review work under Public Law, as providers approach settlement but cannot serve the N255 form on the paid party due to a lack of a certificate, will they be protected if they complete the form declaring that the certificate has been issued, even though it hasn’t, until the system is operational and the certificate can be formally obtained? [added 9 July 2025]

Where matters are concluding and costs are being considered, we would consider that the email from the Legal Aid Agency (LAA) confirming the grant of funding is sufficient to constitute the certificate for the purposes of submitting an application to the court. 

Under Regulation 38 of the Civil Legal Aid (Procedure) Regulations 2012, the provider is required to notify the court and other parties of the determination. The details typically included in the LAA’s confirmation email—such as the client’s name, scope of funding, and date of determination—should satisfy the requirements of this regulation. 

We would not expect there to be any penalty or procedural issue if this email is provided to the court in place of the formal certificate, particularly where system issues are preventing its immediate issuance. However, we recommend including a brief covering note explaining the situation and confirming that the formal certificate will be provided once available.

Updates to this page

Published 22 May 2025
Last updated 23 July 2025 show all updates

  1. FAQs on the following subjects have been added: a) Crime applications: On the Representation Orders that firms have been provided with - what should they populate the ASN, ASN Seq and URN fields with? b) Crime applications: When access to systems has been restored will providers be required to submit all self-granted applications onto Crime Apply? Providers are retaining records of self-grant and using 900900 but it will be onerous for providers and LAA staff alike, if they are required to retrospectively apply for funding. c) Crime billing: What can help with assessment if I am claiming a Committal for Sentence fixed fee on a case where no MAAT number has been provided?

  2. New F&Q added to the Crime Billing section

  3. New sections added to the Crime applications

  4. A question on Judicial Review work under Public Law has been added.

  5. There have been numerous changed submitted please re read the whole guidance.

  6. The following question has been added: How do I transfer an existing live civil certificate from a previous provider under contingency?

  7. Answers to the the questions, 'How do I account for expert costs?' and 'How will High Cost Family case plans be considered under contingency?' have been updated.   

  8. More information added to the question, 'Can I include a claim in my Crime Lower monthly submission for a case that has completed but where no Representation Order has been granted yet due to the Portal outage?'  

  9. Questions and answers on: 1) What can providers do if they believe the LAA have made a mistake on a Civil Contingency Application or Amendment? 2) How can providers obtain civil funding for Judicial Review cases? Have been added to the page.

  10. FAQs have been updated.

  11. New FAQ added.

  12. FAQs have been updated.

  13. New FAQ added.

  14. New FAQs added.

  15. new FAQs added

  16. New FAQs have been added to the page.

  17. Updated questions and answers have been added to the page.

  18. Updated 'Legal aid operations and communications' section of FAQ.

  19. Frequently asked questions have been updated.

  20. More FAQs have been added.

  21. More FAQs have been added.

  22. First published.

Sign up for emails or print this page

Contents