Diocese of Carlisle

News

    APCS Data Breach

    Category
    Latest News
    Date
    28 Aug. 2025
    Author
    Communications
    Share

    Statement – APCS Data Breach

    Data breach: Overseas criminal records checks via Access Personal Checking Service (APCS)

    We have been made aware that the software supplier to APCS, the external organisation we use to conduct DBS checks, has suffered a significant cyber attack resulting in a data breach. Personal information used to verify identity has been compromised, including names, dates of birth, addresses, and passport or driving licence details. APCS has confirmed that they do not store payment card details or records of criminal convictions.

    On 17 August 2025, APCS was notified by Intradev, their external software supplier, of a potential data breach. Intradev confirmed they had been subject to unauthorised access and that certain files containing personal data were copied from their systems during a recent cyber attack.

    We understand the breach concerns data collected between December 2024 and 8 May 2025. APCS and our own diocesan network and servers were not compromised. APCS is working with affected dioceses and conducting a thorough investigation to determine the full scope of the data involved.

    We are advised that around 13,000 people have been affected nationally. This included two people who completed an overseas criminal records check via the Bishop’s Office. We have contacted these individuals directly. If you do not receive an email from the Diocese within the next couple of days, there is no indication that any of your personal information is affected by this breach.

    We are liaising with APCS to understand how many of our parishes complete their own overseas criminal record check’s and may have been affected. If you have received a notification from APCS and have not yet told us, please contact us so we can support you with contacting affected individuals or completing required reports.

    If your parish completes its own overseas criminal record checks using APCS and you have been notified that the parish is affected by the breach, it is important that the parish itself files reports with the Information Commissioner’s Office (ICO) and the Charity Commission. We can provide templates to help you do this if needed. PCCs are separate legal entities, and we have been advised it is not possible for the DBF or the national team to make a single blanket report for all affected entities. We have already notified the ICO and the Charity Commission, so they are aware of the breach.

    Please remain vigilant in managing your personal information online to minimise risk, especially if you are approached by unknown individuals or organisations. Be cautious of phishing emails and avoid clicking links or opening attachments if you are unsure of their source.

    Support for individuals affected by the data breach

    The National Church Institutions are offering 12 months of free credit and web monitoring services from Experian to individuals within the Church of England affected by the breach. The Experian Identity Plus account helps detect possible misuse of personal data and provides identity monitoring support, focused on the identification and resolution of identity theft.

    Access codes will be provided to the Bishop’s office for distribution. Instructions on how to activate an Experian account will be sent shortly.

    END

    Text of email to Parish Safeguarding Officers

    Subject: Important update – APCS data breach and overseas criminal records processing

    Dear Parish Safeguarding Officer,

    You may be aware that Intradev, the software supplier to one of our overseas criminal record check providers, Access Personal Checking Service (APCS), has suffered a data breach affecting personal data collected between December 2024 and 8 May 2025.

    A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This breach has impacted several dioceses, including two people in the Diocese of Carlisle. Our diocesan network and servers were not compromised.

    If your parish has used APCS independently (that is, outside checks processed by the Diocese), you may receive a separate communication directly from APCS. If you do, you must:

    1.Report the breach to the Information Commissioner’s Office (ICO) and the Charity Commission (we can help with this).

    2.Notify all individuals whose data may have been compromised.

    APCS will provide you with the relevant information about those affected.

    In the meantime, national guidance advises that no further overseas criminal record checks should be processed via APCS until further notice.

    Please note:

    Do not verify any new applications with APCS, even if reminder emails are received.

    Ensure all parish verifiers are informed and instructed not to proceed with verifications via APCS.

    ENDS