Sunday, August 24, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Criminal background checker APCS faces data breach

TH Author

Exclusive A leading UK provider of criminal record checks for employers is handling a data breach stemming from a third-party development company.

Access Personal Checking Services (APCS) has written to customers to notify them that their data has been compromised, according to emails seen by The Register, and it confirmed to us that Hull-based Intradev was the organization initially attacked.

APCS describes itself as the UK’s fastest service for carrying out Disclosure and Barring Service (DBS) checks, which were known as Criminal Record Bureau checks prior to 2012. Organizations use them for roles that require background screening, such as jobs that involve working with children or vulnerable individuals, as well as in the healthcare and financial services sectors.

APCS claims it works with more than 19,000 organizations, although it is unclear how many are affected. It did not provide a statement upon request.

Intradev is a software development company that produces bespoke software for clients ranging from small independent businesses to prominent household names, and is certified under the UK National Cyber Security Centre’s (NCSC’s) Cyber Essentials program.

Its managing director, Steve Cheetham, confirmed to The Register that the attack was detected on August 4, and the source of the intrusion remains under investigation. 

“This incident involved unauthorised malicious activity with our systems and is being treated as a significant IT incident,” he said.

“Initial containment measures were implemented immediately. We are currently conducting a detailed investigation into the incident, including a review of the affected files and systems. At this stage, we are working to understand the nature and scope of the data involved.”

Asked whether the attack involved ransomware, Cheetham neither confirmed nor denied.

“During the incident, certain files were affected,” he said. “We are continuing to investigate the nature of this activity and its potential impact. Attribution is not yet confirmed.”

The data types affected by the attack remain under investigation, although according to information sent by APCS to its customers, they include basic personal information, as well as passport, driving license, and national insurance details.

As ever with such cases, each individual’s data will be affected in different ways, depending on what they gave to service providers.

ACPS told customers it believes that the crooks did not get financial information.

Intradev’s managing director added, “We have reported the incident to the relevant authorities, including the Information Commissioner’s Office (ICO) and Action Fraud, and continue to liaise with them as appropriate. We remain committed to fulfilling our legal and regulatory obligations and handling this matter with diligence and care.”

The ICO confirmed to The Register that Intradev referred itself to the data protection watchdog, which is making its enquiries into the matter.

The UK government oversees the Disclosure and Barring Service, and it operates a dedicated department for delivering the checks. It declined to comment on the news, as did the NCSC. ®

READ MORE HERE