Over the past month this site has covered a series of attacks where the goal was always the same: steal credentials. Passwords, API keys, admin logins, database details, national insurance numbers. Week after week, the attackers got in, took what they came for, and left. But we have not yet answered the question that probably sits at the back of your mind after reading each of those stories.
What do they actually do with it?
To answer that properly, we need to look at one of the most significant — and most overlooked — UK data breaches of the past year. Because it answers the question better than any technical explanation could.
So what actually is a data breach?
A data breach happens when information that was supposed to be private is accessed by someone who was not supposed to have it. It can happen because of a hack, a supply chain attack, a human error, or sometimes just a misconfigured system that leaves a door open without anyone noticing.
The thing most people do not realise is that a breach and its consequences are two separate events, often separated by months or even years. The moment the data is stolen is only the beginning. What happens to it afterwards — where it goes, who buys it, what it is used for — is a slower, quieter story that rarely makes headlines.
A real example: the Legal Aid Agency breach
In April 2025, attackers gained access to the digital systems of the Legal Aid Agency — the government body that administers legal aid in England and Wales, helping people who cannot afford legal representation to access the justice system. It is part of the Ministry of Justice.
The breach was not discovered immediately. In fact, later investigations revealed that attackers had been inside the systems since December 2024 — meaning they had been quietly present for around four months before anyone noticed. Data was being copied and removed from January 2025 onwards.
When the full scale became clear in May 2025, the picture was serious. Approximately 2.1 million records had been accessed and downloaded, covering legal aid applicants going back as far as 2007 — an 18-year span. The data included names, addresses, dates of birth, national insurance numbers, criminal history, employment status, and financial details including debts and payment amounts. In some cases, information about applicants' partners was also taken.
The Ministry of Justice confirmed that the attack was made possible in part by fragile, outdated IT infrastructure. The attackers did not need sophisticated tools. They needed time — and they had it.
The online portal used by legal aid providers was taken offline and did not fully return until December 2025, seven months later. Legal aid firms — many of them small businesses operating on tight margins — lost access to their billing systems for months, causing significant financial strain. A court injunction was put in place prohibiting the publication of the stolen data, though such injunctions cannot undo the fact that the data has already been taken.
What makes this data so dangerous
The Legal Aid Agency breach is a useful illustration because the data involved is not just sensitive — it is about some of the most vulnerable people in society. People who applied for legal aid are, by definition, people who needed help: those facing criminal charges, domestic abuse survivors, people at risk of losing their homes, asylum seekers, families in dispute. Their records reveal not just who they are, but what they have been through.
This matters because stolen data is not used in a single way. It is more useful to think of it as a toolkit — one that different criminals can use for different purposes.
Identity theft is the most straightforward. With a name, address, date of birth, and national insurance number, a criminal can apply for credit cards, loans, mobile phone contracts, and government services in someone else's name.
Targeted phishing is subtler and often more effective. If a criminal knows that someone applied for legal aid in 2019, they can craft a very convincing message: "We are writing about your legal aid application. Your records show an outstanding amount of £87.50. Please click here to resolve this." The victim recognises the reference. The message feels real. They click.
Blackmail and extortion become possible when criminal records or sensitive personal details are involved. The threat of exposure — to an employer, a family member, a community — can be a powerful lever, especially for people who already feel vulnerable.
Credential stuffing happens when stolen usernames and passwords are tried automatically across hundreds of other services. Most people reuse passwords. A credential from one breach often unlocks accounts elsewhere.
None of this happens immediately. Stolen data is frequently sold, traded, and resold across criminal marketplaces. A record stolen in January 2025 might not be used until 2027. The lag between breach and harm is one of the reasons breaches feel abstract — the consequences can arrive long after the event that caused them.
How do you spot it and protect yourself?
Assume it has already happened. Given the scale and frequency of breaches over the past decade, the realistic position is that some of your personal data has already been involved in at least one. That does not mean you have been harmed — but it means vigilance is sensible.
Be suspicious of contact that knows things about you. A message that references your specific circumstances — a legal case, a purchase, a subscription — is not necessarily trustworthy. Criminals buy that context to make scams more convincing. Verify independently before responding to anything that asks you to act.
Use different passwords for different services. This limits the damage when any single breach occurs. A password manager makes this practical.
Check whether your email address has appeared in known breaches using a free tool such as haveibeenpwned.com, which cross-references your email against published breach databases.
If you applied for legal aid between 2007 and May 2025, the UK government advises you to remain vigilant for suspicious contact. The NCSC has published guidance at ncsc.gov.uk on protecting yourself after a data breach.
Should you be worried?
The honest answer is: not panicked, but alert. The Legal Aid Agency breach is serious because of who was affected and how sensitive the data is. For most people whose data was involved, nothing will happen. For some, something will. The difficulty is not knowing which group you are in.
What is clear is that breaches of this scale — government systems, holding 18 years of personal records, on outdated infrastructure — should not happen. The Ministry of Justice minister said as much when she confirmed the attack had been made easier by fragile IT systems. That is a human decision, or rather a long series of human decisions, to defer investment in infrastructure that holds some of the most sensitive data the state collects.
The data did not steal itself. The systems did not fail on their own. And the harm that follows — the phishing attempts, the identity fraud, the exploitation of vulnerability — will be the work of people who chose to use stolen information to hurt other people.
That is where the trail always ends. Not with technology. With humans.
🧠 The Human Factor
| Technology involved | The Legal Aid Agency's digital services — outdated government IT infrastructure holding 18 years of legal aid applicant records |
| Root cause | A targeted cyberattack made possible by fragile, under-invested IT systems; attackers had undetected access for four months before discovery |
| What was at risk | The personal, financial, and legal records of approximately 2.1 million people — including some of the most vulnerable individuals in the justice system |
| Prevention | Investment in modern, secure government IT infrastructure; timely detection of unauthorised access; prompt notification to those affected; for individuals, vigilance against targeted phishing using stolen context |
References and sources
- Legal Aid Agency official data breach notice and FAQs — gov.uk (May 2025, updated August 2025)
- Ministry of Justice statement to Parliament, May 2025
- Law Society guidance on the Legal Aid Agency data breach — lawsociety.org.uk
- Legal Aid Agency data breach — The Record from Recorded Future News (May 2025)
- National Cyber Security Centre guidance on protecting yourself after a data breach — ncsc.gov.uk
- SC Media: UK Legal Aid Agency faces system woes post-cyberattack (December 2025)
If you applied for legal aid between 2007 and May 2025 and have concerns, the government's advice and contact details are available at gov.uk/government/news/legal-aid-agency-data-breach