The Legal Aid Agency (LAA), an executive agency of the UK’s Ministry of Justice that oversees billions in legal funding, warned law firms of a security incident and said the attackers might have accessed financial information.

Approximately 2,000 providers, including barristers, solicitor firms, and non-profit organizations, deliver civil and criminal legal aid services in England and Wales under contracts with the LAA. The agency employs around 1,250 staff and runs the country’s Public Defender Service.

In a letter sent to law firms, the agency said it cannot confirm if any data was accessed. Still, it acknowledged the risk that legal aid providers’ payment information might have been compromised, as Sky News first reported.

“This incident is being investigated in accordance with our data security processes, and action has been taken to mitigate the incident,” the agency’s letter reads. “The LAA takes the security of the information we hold seriously, and we understand the potential impact any breach can have on you.”

The UK National Crime Agency has told BleepingComputer that it’s working closely with the MoJ and the UK’s National Cyber Security Centre to probe the incident and support LAA’s ongoing investigation.

“We are aware of a cyber incident affecting the Legal Aid Agency. NCA officers are working alongside partners in the National Cyber Security Centre and MoJ to better understand the incident and support the department,” NCA said.

Cyberattacks targeting UK retailers

This incident follows high-profile cyberattacks targeting the Co-op, Harrods, and Marks & Spencer (M&S) UK retail chains. The DragonForce ransomware operation ​​​​​claimed all three attacks, and BleepingComputer has learned that the threat actors who orchestrated them used the same social engineering attack to breach Co-op and M&S.

Last week, M&S was hit by a DragonForce ransomware attack using Scattered Spider tactics. This attack disrupted online orders, contactless payments, and the company’s Click & Collect service.

Co-op also restricted VPN access as a precaution following another cyber incident that hit its systems and confirmed on Friday that attackers stole data belonging to a “significant number of our current and past members.”

On Friday, May 1st, Harrods confirmed that it restricted internet access to sites after threat actors also tried to breach its network, suggesting an active response to a cyberattack, although a breach has yet to be confirmed.

Since then, the country’s National Cyber Security Centre (NCSC) has published guidance and advised all UK organizations to follow it to strengthen their cybersecurity defenses. The agency also cautioned that these cyberattacks should be seen as a “wake-up call” for all UK businesses, as any of them may become the next target in the hackers’ crosshairs.