Guidance

Legal Aid Agency cyber security incident: frequently asked questions

Frequently asked questions about the Legal Aid Agency cyber security incident.

From:
Ministry of Justice and Legal Aid Agency
Published
22 May 2025
Last updated
27 June 2025 — See all updates

Applies to England and Wales

Data breach

Who might have been impacted by this breach? [added 22 May 2025]

We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010.

This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.

What provider information has been breached? [added 22 May 2025]

We communicated to legal aid providers on 30 April that we believe that some financial details of providers may have been exposed including bank account numbers and sort codes. We have recommended providers remain vigilant for any unusual activity on their accounts.

What steps should I take to protect myself? [added 22 May 2025]

We would recommend anyone who believes they could be involved in this data breach to take steps to protect themselves. This includes being alert for any suspicious activity, messages or phone calls and taking steps to update passwords. If in doubt about anyone you are communicating with online or over the phone, make sure to verify their identity independently before engaging further with them. The National Cyber Security Centre’s webpage contains information on how to protect yourself from the impact of a data breach. The webpage can be found at https://www.ncsc.gov.uk/guidance/data-breaches

Are provider IT systems at risk? [added 22 May 2025]

There is no direct risk. There is no direct connection from Legal Aid Agency (LAA) systems to any provider system – it is a one-way provider to LAA connection only.

There is no contractual obligation on providers to report this incident to the Information Commissioner’s Office (ICO) or to inform clients. The data impacted by this incident is either owned by the LAA or is considered Shared Data within the definition of the contract. The contract at clause 16.3 of the standard terms sets out that the responsibilities of the data controller will be exercised by the party in possession of the data – in this case by the Ministry of Justice (MoJ) as the data controller for LAA. MoJ notified the ICO of the incident and notified data subjects through the public announcement on GOV.UK on 19 May. 

Why is the Portal offline? [added 22 May 2025, updated 27 June 2025]

Further to LAA notifications, the GOV.UK statement posted on 19 May 2025 explains why the Portal is offline. Visit Legal Aid Agency cyber security incident to view the latest updates and contingency measures.

Guidance for clients and providers is available at: Legal Aid Agency cyber-security incident.

Civil applications

Applying for substantive applications where emergency representation has expired [added 2 July 2025]

Emergency representation granted under delegated functions now includes a 16-week time limit and £4,500 costs limitation. These limitations will apply to emergency representation granted under delegated functions where the LAA is yet to make a substantive determination. Limitations on substantive determinations are effective from the date of the emergency representation determination, meaning funding will be continuous from the date of delegated functions where the LAA issues a substantive certificate. Providers can amend limitations under emergency representation where the work is completed within the 16-week limitation. 

Where emergency representation has been granted by the LAA and not under delegated functions, providers can use the CIVAPP8 form to apply for amendments where further urgent work is required. 

In cases where the 16-week limitation has expired providers can submit a substantive application. Please note, we will require a CIVAPP1 (non-family) or CIVAPP3 (family) and the relevant Financial Assessment form(s). Substantive applications cannot be made using the CIVAPP8 form. 

What are the time limits on emergency certificates if providers used delegated functions before the changes on 27 June 2025? [added 2 July 2025] 

New emergency time limits of 16-weeks apply to all cases where the provider has used delegated functions to grant funding (and emergency representation is still in place) regardless of when the determination was made, if this was initially 8-weeks providers now have the power to extend emergency time limit up to 16 weeks.

Is Secure File Exchange via Galaxkey still operational? [added 27 May 2025]

Yes, the Secure File Exchange, via Galaxkey is operating as normal.

How can I progress Exceptional Case Funding (ECF) controlled work applications? [added 30 May 2025]

You can continue to submit ECF controlled work applications in the usual way. For urgent cases, please contact us on ContactECC@justice.gov.uk. In circumstances where you would ordinarily use CCMS, please submit an urgent application using the appropriate application forms and submit to this email address. Guidance on the forms to use is available at this link: Legal aid: apply for exceptional case funding.

What can providers do if they believe the LAA has made a mistake on a Civil Contingency Application or Amendment? [added 13 June 2025]

Providers can use Civil Application Fixer (applicationfixer@justice.gov.uk) if they believe we have: incorrectly rejected or refused, not considered the information provided, asked for documents or information already provided or granted an incorrect cost limitation. We will only review the decision based on the information submitted originally. You must submit an appeal if you wish to provide new information. When emailing this service please provide the contingency reference number and also details of why you believe an error has been made with any supporting evidence. We aim to review submissions within 24 hours (Monday to Friday). We will then rectify any errors at the earliest opportunity. If we believe, based on the information provided, the decision was correct, we will ask you to follow the appeal and review route for challenging a decision.

Civil billing

Providers should continue to submit escape fee claims via Galaxkey and email. These will continue to be processed by LAA for payment under the normal timeline. Providers can continue to submit escape fee claims if they have not been uploaded onto CWA due to the Portal outage. 

How does the current incident impact on Housing Loss Prevention Advice Service (HLPAS) payments? [added 22 May 2025, updated 27 June 2025]

HLPAS payments will be paid as normal. Claims made as part of the CWA contingency submission by 20 June will be paid on or before Monday 7 July. Claims made as part of the CWA contingency submission by 20 July will be paid on or before Monday 4 August.

Claims made on spreadsheet can continue to be submitted in the usual manner. Your payment will be picked up on the next payment run after receipt and processing which may result in you receiving your payment earlier than you currently do.

How should I account for Escape Cases in my Legal Help / Crime Lower monthly submission? [added 4 June 2025]

Guidance is provided in the monthly submission form, available for download at LAA Contingency Monthly Contract Submission, on what to include in your total claim figure. The totals reported for your monthly submission must not include any adjustment for Escape Cases regardless of whether they have been submitted for assessment. Escape Cases will be processed as usual and the LAA will make an adjustment to the monthly payment to account for any additional sums due for Escape Cases that have been assessed during the month.

Crime applications 

There are no crime application FAQs at this time.

Crime billing

How should I account for Escape Cases in my Legal Help / Crime Lower monthly submission? [added 4 June 2025]

Guidance is provided in the monthly submission form, available for download at LAA Contingency Monthly Contract Submission, on what to include in your total claim figure. The totals reported for your monthly submission must not include any adjustment for Escape Cases regardless of whether they have been submitted for assessment. Escape Cases will be processed as usual and the LAA will make an adjustment to the monthly payment to account for any additional sums due for Escape Cases that have been assessed during the month.

How do I make a claim for Crime Hardship payments? [added 4 June 2025, updated 27 June 2025]

Providers are referred to the Crown Court Fee Guidance and Litigator fee claim forms and guidance for details of hardship and interim claims.

Graduated fee (Litigators’ Graduated Fee Scheme (LGFS) and Advocates’ Graduated Fee Scheme (AGFS)) claim assessment recommenced with payments resuming the week commencing 2 June. Claims for hardship should be discussed with your Contract Manager.

Can I include a claim in my Crime Lower monthly submission for a case that has completed but where no Representation Order has been granted yet due to the Portal outage? [added 5 June 2025, updated 17 June 2025]

Yes. If your application relates to a Summary Only / Either Way matter in the magistrates’ court, please assume that the application will be granted. 

When our internal systems become available again, you will need to submit these applications. 

When assessing your application, if we determine that the case should not have been granted, the caseworker will authorise legal aid from the date of the initial stamp (which you will confirm to us) until the date your application is reviewed. At that point, a withdrawal of legal aid would occur. This process will enable you to claim for any costs incurred during this period.

We understand that you will not have a Representation Order. A note on the file referring to the incident will be sufficient for audit purposes.

As you will not have received a MAAT number for these cases, please use 900900 as a dummy MAAT number when claiming. Please note that while current MAAT numbers are 7 digits, 900900 is a valid MAAT number and will be accepted. This is essential to ensure that it is clear that your claim is a contingency claim, and allows us to track and monitor these.

Ministry of Justice schemes 

No, the Qualified Legal Representative scheme is unaffected and claims can be submitted as normal. 

Payments

Will BACS statements continue to be sent following each payment run? [added 4 June 2025]

BACS statements will continue to be printed and posted out as usual after each payment, as will the Provider Statement of Account (PSOA) that are sent out at the end of each month.

Following contact from the LAA, His Majesty’s Revenue and Customs (HMRC) has updated its guidance on the VAT and Debt customer support lines including ‘time to pay arrangements’ acknowledging that HMRC is working with the LAA.

Individual practitioners who are concerned about their ability to meet a VAT bill deadline as a result of delayed legal aid payments should contact HMRC individually.  

HMRC VAT Helpline: 0300 200 3700

Communications

All legal aid providers (contracted solicitors and barristers) registered on the LAA Portal  receive regular email updates. Please check whether your spam filters have blocked incoming emails from the LAA. You will need to ensure you are able to receive messages from communicationsdepartment@justice.gov.uk and legalaidbulletin@labulletin.org.uk to ensure that you receive future correspondence. If you think you are not receiving LAA emails please speak to your LAA Contract Manager, or for members of the independent Bar, please contact the LAA Customer Services Team on 0300 200 20 20 in the first instance to ensure that your correct details are on file.

Can I correspond with the LAA by email? [added 22 May 2025]

Yes, there is no concern with email communication.

Updates to this page

Published 22 May 2025
Last updated 27 June 2025 show all updates

  1. There have been numerous changed submitted please re read the whole guidance.

  2. The following question has been added: How do I transfer an existing live civil certificate from a previous provider under contingency?

  3. Answers to the the questions, 'How do I account for expert costs?' and 'How will High Cost Family case plans be considered under contingency?' have been updated.   

  4. More information added to the question, 'Can I include a claim in my Crime Lower monthly submission for a case that has completed but where no Representation Order has been granted yet due to the Portal outage?'  

  5. Questions and answers on: 1) What can providers do if they believe the LAA have made a mistake on a Civil Contingency Application or Amendment? 2) How can providers obtain civil funding for Judicial Review cases? Have been added to the page.

  6. FAQs have been updated.

  7. New FAQ added.

  8. FAQs have been updated.

  9. New FAQ added.

  10. New FAQs added.

  11. new FAQs added

  12. New FAQs have been added to the page.

  13. Updated questions and answers have been added to the page.

  14. Updated 'Legal aid operations and communications' section of FAQ.

  15. Frequently asked questions have been updated.

  16. More FAQs have been added.

  17. More FAQs have been added.

  18. First published.

Sign up for emails or print this page

Contents