We have been informed of a data breach that has occurred involving data processed by Access Personal Checking Services (APCS) Ltd – the provider that our diocese, along with many other dioceses, and most parishes currently use to process online Disclosure and Barring Service (DBS) checks. A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
On 17 August 2025, APCS were notified by Intradev – their external software supplier – of a potential data breach. Intradev confirmed that they have been subject to a cyber attack and certain files that relate to personal data were copied from their system.
According to the information we have recieved from APCS, we believe the breach mainly concerns data collected between December 2024 and May 2025. The affected data is likely to include name, date of birth, email address, postal address, place of birth, gender, National Insurance Number, Passport details and Driving Licence. The data affected is text data only. It does not include images or documents. APCS have confirmed that they do not store payment card details or records of any criminal convictions.
APCS and our own network and servers were not compromised. Please note this only affects DBS checks that have been made online, not paper-based ones.
APCS have been contacting parishes where they know there has been a data breach. Not all PCCs will need to be contacted. If you haven’t received an email from APCS, then you are unlikely to have been affected, though you should continue to check your emails, including Spam, from them over the coming days.
The potential impact on any affected individuals may include identity theft. It is therefore best to advise people in your parish to remain vigilant to any signs of this taking place. Some helpful guidance is available on the ICO’s website: https://ico.org.uk/for-the-public/identity-theft/.
We are carrying out a risk assessment and have made the decision to report this incident to the Information Commissioner’s Office (the ICO) and the Charity Commission.
We take this matter extremely seriously and understand the distress and worry it will cause to many. Our team are working hard to keep in touch with parishes and answer questions and concerns. We are following up with APCS regularly and are committed resolving this issue promptly and effectively.
Information for Parishes
A large number of our parishes use APCS to carry out DBS checks. Should you receive an email directly from APCS to inform you of the data breach notification, you will need to report the matter to the Information Commissioner’s Office (see more advice below) and contact those whose data may have breached. The APCS will supply you with details of who has been affected.
What do I need to tell people whose data may have been breached?
- the name and contact details of the person in the parish who looks after data protection, or other contact point where more information can be obtained (eg PSO, PCC Secretary or Incumbent);
- a description of the likely consequences of the personal data breach such as:
- the possibility of receiving spam emails
- Emotional and reputational harm
- Personal information being sold to 3rd party advertisers
- Potential for identity theft
- if you are not sure what to add to your report please use any one or all of the above since they are real examples of potential consequences for a breach like this.
- a description of the measures taken or proposed to deal with the personal data breach (You may need to say that further advice will follow here once you have heard more from APCS.)
- advise them to continue to remain vigilant in managing their personal information online to minimise any potential risk, particularly if they are approached by any unknown individual or organisation that may not appear genuine and if you receive any phishing emails that contain harmful links or attachments.
The ICO also recommends that you advise individuals on the steps they can take to protect themselves, such as:
- reset passwords;
- always use strong, unique passwords; and
- look out for phishing emails or fraudulent activity on their accounts.
Notifying the ICO
To inform the ICO of a personal data breach, please see their pages on reporting a breach. These pages include a self-assessment tool and some personal data breach examples.
DBS Checks going forward
We taken the decision to stop using online applications for DBS checks until further information and advice has been received from the National Safeguarding Team.
Initially this suspension will be until 15 September 2025. If your DBS check is not urgent you may choose to hold the application for a few weeks by which point we hope we will have had more guidance from the NST. However, we will still be able to offer paper based DBS applications.
Please send all paper based applications to Siona.Jeffery@winchester.anglican. For those of you who have not previously used the paper based system, Siona is able to offer training via Zoom and also offer refresher training for anyone who needs it.
Support for individuals affected by the data breach:
The National Church Institutions are offering 12 months of free credit and web monitoring services, provided by Experian, to individuals within the Church of England affected by the breach. The Experian Identity Plus account helps detect possible misuse of personal data and provides people with identity monitoring support, focused on the identification and resolution of identity theft.
Access codes will be made available to our diocese to distribute and instructions about how you can access your Experian account will also be sent shortly.
Next steps
While there is no guarantee that your information won’t be misused, most people affected by data breaches do not experience any problems. The guidance above provides sensible precautions based on what information was accessed.
Please look out for a follow-up email with details about how to access the Experian credit monitoring service. We strongly encourage that you take this up.
If you wish to contact APCS directly, please do so on enquiries@accesspcs.co.uk or 0343 611 2727.
Frequently Asked Questions
Who are APCS and what do they do?
APCS specialise in processing disclosures for individuals and small business owners, large public and private sector companies, organisations, and recruitment agencies.
When did this happen?
APCS have stated that their external software supplier, Intradev, notified them on 17 August that their system had been compromised between the 31 July 2025 and 15 August 2025, and certain files containing personal details were copied. APCS were provided with copies of the compromised data on Monday 18 August. APCS’ own network and servers were not compromised. From initial assessments made by APCS, the data that is affected is from 1 December 2024 to 9 May 2025.
Have other organisations outside of the C of E been affected?
Yes. APCS provides Data and Barring Services (DBS) to many organisations. This breach also impacts those bodies.
How confident are we that only those notified have been affected?
APCS have started the process of notifying those individuals affected by the breach. APCS have said that the breach only affects those individuals who were subject to a DBS check between the 1 December 2024 to 9 May 2025, but this is a moving situation, and we will keep you updated as we receive more information.
Is this data breach connected to the data incident involving the independent Redress Scheme?
No. The two incidents are unconnected.
What personal information has been leaked?
We are waiting for more details from APCS. We understand that the breach may have affected some or all the following information: Name, phone number, date of birth, email address, address, place of birth, National Insurance number, passport number, driving licence number. It does not include: Medical information, information on any disclosures, information about your protected characteristics e.g., ethnicity, disability, sexual orientation, marital status. The information that was accessed was in text format only. No documents, images, passwords, or financial details were affected.
Do PCCs need to report the incident to the ICO?
Yes. PCCs should report separately to the ICO if they have directly accessed the service i.e. if they have been uploading data to APCS themselves this makes them the ‘data controller’. If the DBF have been doing this on their behalf, then the DBF should report as the data controller. You can assess this by checking who APCS is corresponding with i.e. if they have contacted the PCC directly, then it is likely that the PCC is the controller and therefore must report.
Whether the PCC is part of the national deal is not the issue for reporting to the ICO, the key issue is who the controller is, so if the PCC have their own contract with APCS and have been contacted, they must report it.
Who is responsible for reporting a breach to the ICO?
Only the data controller is responsible for reporting a high-risk data breach to the ICO. A high-risk data breach is one which has a significant effect on the rights and freedoms of data subjects. All parties are accountable for taking steps to mitigate the effects of the breach where possible.
If the data breach is caused by the processor, the processor must implement technical and organisational measures to assist the controller to deal with the breach but is responsible for their own failures or those of their sub-processors. However, the ICO can investigate all parties involved to ensure they have met their obligations appropriately.
Do we need to report this incident to the Charity Commission?
The Charity Commission have informed the National Church Institutions that due to the large number of Serious Incident Reports they have received on this, trustees in PCCs and diocesan boards of finance do not need to report to the Charity Commission “if in substance they simply wish to report the same incident in materially similar terms”.
Is the 72-hour deadline for reporting the incident to the ICO based on when an email notifying the breach was sent, or when the email was seen?
The 72-hour window is based on when your organisation became aware of the data breach (i.e. when the email sent from APCS was seen). If you have missed the 72-hour deadline, you can explain that the reason for the delay is because you were fact finding, but it is best if you can do this as close to the 72-hour window as possible.
I would like to request that any data held by APCS on me is deleted under GDPR. How do I go about this?
If you wish to make an erasure request, you can contact APCS via email to enquiries@accesspcs.co.uk or by phone on 0845 6431145. The APCS Privacy policy is available here: www.onlinecrbcheck.co.uk/docs/privacypolicy.pdf
What’s the difference between a data controller and a data processor?
A data controller is the organisation responsible for making the key decisions about how and why data is collected, stored, and used and is responsible for complying with all GDPR obligations. Where the controller uses an external supplier who will be processing personal data for the controller (data processor), the overall responsibly for data protection compliance remains with the data controller. A controller is responsible for ensuring that the processors have provided sufficient assurance that they are GDPR compliant, and for putting in place a suitable contract which should include instructions on how a data breach will be managed. In the APCS situation the controller would be the organisation responsible for uploading data to the APCS system, for example the Church of England Central Services, a Diocesan Board of Finance, or Parochial Church Council.
A data processor is responsible for processing personal data solely on behalf of the controller adhering strictly to the controller’s documented instructions. They are responsible for complying with their own GDPR obligations, including putting in place a suitable contract which provides an equivalent level of data protection as the contract with the controller. with any of their sub-processors. The processor must immediately inform the controller of any data breaches. In this case APCS is the data processor.
A sub-processor is a supplier providing processing services to the primary data processor. They are responsible for processing personal data on behalf of the primary data processor, under a suitable contract. This includes implementing appropriate security measures to protect the data, complying with relevant GDPR obligations and assisting the primary processor and controller to meet their data protection obligations. In this case Intradev is the sub processor.
Why are parishes being asked to submit a report to the ICO?
In the event of a data breach, the data controller is responsible for submitting a report to the ICO. In this instance, the “controller” is the organisation responsible for uploading data to the APCS system, for example, the PCC.
What support is available for those who have been affected?
Access to a credit checking and monitoring service from Experian is being made available for 12 months for those affected. If you have been affected by this data breach and you have not received a code to access your Experian Identity Plus account, please contact Susan Beckett (susan.beckett@winchester.anglican.org).
If my passport and driving licence details have been accessed, should I apply for new ones?
The current advice from the national church is that they do not believe it is necessary to replace driving licences or passports, as the images associated with these documents were not breached. Risk still remains so we cannot offer a definitive answer to this question.
What support will I be offered if my data is used maliciously through this breach? For instance if someone uses the data to create a new payment from my bank account or creates a credit agreement that negatively affects my credit file?
We are encouraging all colleagues who are potentially affected by this to sign up to the Experian service. This service, provided for 12 months, will help you to keep an eye out for any changes that suggest someone is using your data improperly – for instance, you will get an alert if someone sets up a new credit agreement. If you become the victim of fraud, you will be offered help through Experian’s caseworker service to get back on track and sort out your credit file.
In addition, you should look out for any unwanted calls, emails or contact to you directly, including monitoring your bank account. You might find it helpful to talk to your bank now to let them know of the situation. Some are able to put in place additional identification verification checks for making/setting up payments, to help keep your money safe.
If I lose money or my credit file is affected due to fraud, will I be compensated?
The Diocese will work alongside you and do what we can to ensure no colleagues loses out as a result of this breach by APCS. In the hopefully rare event where someone suffers a loss, we will work with you to help rectify the situation.
What can I do to protect myself from fraud?
Stay alert to unexpected emails, calls, or letters that mention personal details about you. Never give personal information to unsolicited callers, even if they seem to know details about you. Verify any unexpected contact by calling the organisation directly using their official number. Monitor for new applications made in your name (check your credit report – see below for information about the service that will be available to you from Experian). Look for any new accounts, credit searches, or applications you did not make. Inform your bank, building society and credit card company of any unusual transactions on your statement.
Who can I speak to about getting an access code for the credit check and web monitoring service from Experian?
Please contact Susan Beckett for your code: susan.beckett@winchester.anglican.org
How do I read my credit report? I have never had one before
If you are not sure where to start, take a look at this guide from Experian: www.experian.co.uk/consumer/experian-credit-report.html
Your credit report has different sections. For instance, it will show information about you, any credit agreements you have (e.g. your mortgage or with a phone company), your financial connections (e.g. spouses/partners), and details of any missed/overdue payments on credit agreements.
What happens beyond 12 months with the Experian service?
At the end of the 12-month period the individuals will get an email to say their subscription is coming to an end and the options available to them.
How up to date is Experian? For instance, if someone set up a credit agreement today, would they tell me today?
Through your Experian Identity Plus subscription*, you will be offered daily alerts as to whether something has changed within your credit report. The subscription also allows you to lock your Experian credit report to help stop fraudsters taking out agreements in your name.
I have been advised to use CIFAS as well. Is this necessary?
Experian is a member of CIFAS (Credit Industry Fraud Avoidance System) and can access data related to confirmed fraud cases. CIFAS focuses on fraud prevention; Experian offers identity verification and fraud prevention.
I already have an Experian account, or I have used Experian in the past. What should I do?
If when you log into Experian using the code we have given you, and you are using your personal email address, you may be told that you already have an account under that username. In this case either continue to use your existing account if you are still paying for it and let us know that you do not need the code or create a new account using a different email address. If you need further assistance, please call the Experian support line on 03444 818182.
Experian asks for a lot of personal data, should I be giving this to them?
When you create the account, you will be asked for your email address as a username, you should use your own personal email account because reports from Experian contain your own personal financial information which should not be held in a work email inbox (see above). You may be asked for date of birth and address so that Experian can identify you, and they may ask you for additional data, for example, your mother’s name as an additional security check. They will already know some of your financial arrangements e.g. mortgage information and bank account details etc, or other financial arrangements where you have had to get a credit check, and they will ask you to confirm these. They need these details to ensure that they monitor all your financial arrangements, however, they also collect data for marketing purposes.
You should read their Privacy Notice here: Experian Consumer Privacy Policy. To opt out of marketing click here: Opt out by marketing channel and industry sector – Experian Consumer Information Portal
I have been approached by a journalist to ask me about the breach. What do I do?
Please do not offer any comment and refer them to our communications team: jemima.lewis@winchester.anglican.org.
