On 22 August 2025, The Register reported “a leading UK provider of criminal record checks for employers is handling a data breach stemming from a third-party development company[*]. Access Personal Checking Services (APCS) has written to customers to notify them that their data have been compromised, according to emails seen by The Register, and confirmed that Hull-based Intradev was the organization initially attacked”.

This has impacted some, but not all, dioceses and only affects DBS checks that have been made online, not paper-based ones; the Church Times suggested that the cyber attack on software used by APCS “has left hundreds of parishioners at risk of identity theft”. It reports that the attack happened on 31 July and at least ten dioceses are affected: Derby, Ely, Guildford, Hereford, Newcastle, Oxford, Salisbury, Southwark, Winchester, and Worcester. Many dioceses confirmed that they were unaffected since they use the DBS checking services of Thirtyone:eight. However, others, such as the Diocese of Guildford have indicated that APCS works with 17 dioceses. Links to some of these are below.

The cyber attack

Intradev has confirmed that in the cyber attack, certain files that relate to personal data were copied from their system. According to the information from APCS received by the Diocese of Winchester, it is believed that the breach mainly concerns data collected between December 2024 and May 2025. The affected data are likely to include name, date of birth, email address, postal address, place of birth, gender, National Insurance Number, Passport details and Driving Licence; these are text data only, and do not include images or documents. APCS have confirmed that they do not store payment card details or records of any criminal convictions.

Diocesan advice to those impacted by the breach

The Church Times states that different dioceses were informed of the breach at different times: Ely was not alerted until last Saturday evening, while Winchester was contacted on Thursday of previous week. It notes that dioceses are working to support affected parishes, but the advice given varies according to diocese.

The Diocese of Guildford indicates that the data breach was linked to malicious activity and relates to personal and sensitive information being processed for DBS checks. It further comments:

“All affected parishes should have received an email from APCS by now, but they should continue to check emails over the coming days. Parishes who have received an email from APCS, need to act to notify the Information Commissioner’s Office (ICO) of the breach and contact those whose data has been breached. The APCS will supply you with details of who has been affected, and the Diocesan Team has sent a template on the information to include in both the ICO report and to affected individuals.”

It has also provided a Q&A section which may be generally applicable. The section What can the Church of England do to help parishes? states:

“The Church of England is in urgent contact with APCS and is looking for ways to support parishes. The National Church Institutions are offering 12 months of free credit and web monitoring services, provided by Experian, to individuals within the Church of England affected by the breach. The Experian Identity Plus account helps detect possible misuse of personal data and provides people with identity monitoring support, focussed on the identification and resolution of identity theft. Access codes will be made available to dioceses to distribute. As soon as we receive these codes, we will update parishes”.

Links to Diocesan statements, comments &c

A non-exhaustive list of diocesan statements and guidance includes: Canterbury; Carlisle; Coventry; Derby; Durham; Ely; Guildford; Hereford; Lichfield; Newcastle; Oxford; Peterborough; Salisbury; Southwark; Winchester; and Worcester. Through its Facebook page, the Diocese of Liverpool has reassured parishes that it is not an APCS customer and has not been impacted by this breach. Likewise the Diocese of Norwich has stated that it does not use APCS for DBS checks, and is also unaware of any parish that uses APCS.

[*] Whereas the data breach relating to the Redress Scheme, reported here was due to human error within Kennedys Law LLP, the breach of DBS information was caused by a cyber attack – an unauthorized attempt to access, steal, alter, or destroy data on a computer system or network.

Comments on this post are closed

This post is based upon information published by Church of England dioceses and other sources. It does not purport to give specific advice or analysis of the issues discussed, and queries should be directed at the appropriate diocese.

Updated: 30 August 2025 at 11:10.