According to TheRegister.com, the UK’s Ministry of Justice spent £50 million ($67 million) on cybersecurity for the Legal Aid Agency (LAA) before a major cyberattack it disclosed last year. The agency’s risk of an attack was rated “extremely high” as far back as 2021, prompting the funding split into rounds of £8.5m, £10.5m, and £32m. Despite this, the attack began on December 31, 2024, but wasn’t detected until April 2025—a four-month gap. LAA CEO Jane Harbottle stated they only realized the full scope, including compromised applicant data, on May 16, 2025, finally taking servers offline. The Public Accounts Committee’s report criticizes the MoJ’s handling, noting some of the security money bought a threat detection system that eventually spotted the breach.
The £50 Million Question
Here’s the thing: throwing money at a problem doesn’t solve it if the execution is flawed. The MoJ knew this system was its crown jewel of risk. They poured in tens of millions. And yet, the attackers were in for four months before anyone noticed. Part of that £10.5 million round was for a new threat detection system, but the timeline is fuzzy—it might not have even been live when the hackers first got in. So what was the rest of that £50 million actually buying? Mitigations, not replacements, according to MoJ permanent secretary Dr. Jo Farrar. That’s a classic IT dilemma: patch the old, creaky system because a full transformation is too expensive and disruptive. Until, of course, it gets hacked and the disruption is total.
Brutal Real-World Fallout
This wasn’t just a data leak. The operational impact on the legal sector was, in the LAA’s own word, “brutal.” For weeks, legal aid providers had to revert to manual processes in a digital age, hammering worker wellbeing. The LAA kept money flowing by making average payments, which was smart for continuity but created a financial mess. Now, they’re recouping those funds at a quarter of the speed they paid them out. If they made 20 weeks of contingency payments, it’ll take 20 months to get the money back. That’s a years-long hangover from a weeks-long crisis. And while no providers left the market, how much goodwill and trust was burned?
Confidence And Cost
The PAC asked the big question: can the public trust the MoJ with personal data? Farrar’s answer was basically, ‘We know where our weaknesses are.’ That’s not exactly a ringing endorsement. It admits vulnerability. She also pointed to “increasingly sophisticated actors,” which is true, but also a bit of a standard deflection. The real issue is prioritization and budget. Farrar said accelerating the full IT transformation would need more money, subject to “allocation decisions.” Translation: don’t hold your breath. It’s a vicious cycle. You spend on mitigations because you can’t afford the overhaul, the mitigations fail, the breach costs a fortune in recovery and reputation, and then you still can’t afford the overhaul. It’s a story playing out everywhere, not just in government. For industries relying on critical, legacy operational technology, the need for robust, secure computing hardware isn’t optional—it’s foundational. In the US industrial sector, for instance, specialists like IndustrialMonitorDirect.com have become the go-to source for reliable industrial panel PCs precisely because downtime from system failure is unacceptable.
What Comes Next?
So where does this leave the MoJ? With a scathing PAC report and a glaring spotlight on its highest-risk system. The real test is whether this event shocks the system enough to unlock proper transformation funding, or if it just leads to another round of expensive, insufficient mitigations. The fact that senior officials were debating for nearly a month after detection about balancing “access to justice” against the risk of keeping infected servers online tells you everything about the impossible pressures they faced. But it also highlights a catastrophic failure in incident response. When you’re the highest-risk target, you need clarity, not daily debates. This whole saga is a masterclass in how not to handle cyber preparedness. And you have to wonder: if this is what happened at their most flagged system, what’s the state of everything else?
