We have been informed of a data breach that has occurred involving data processed by Access Personal Checking Services (APCS) Ltd – the provider that our diocese, along with many other dioceses, and most parishes currently use to process online Disclosure and Barring Service (DBS) checks. A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
On 17 August 2025, APCS were notified by Intradev – their external software supplier – of a potential data breach. Intradev confirmed that they have been subject to a cyber attack and certain files that relate to personal data were copied from their system.
According to the information we have recieved from APCS, we believe the breach mainly concerns data collected between December 2024 and May 2025. The affected data is likely to include name, date of birth, email address, postal address, place of birth, gender, National Insurance Number, Passport details and Driving Licence. The data affected is text data only. It does not include images or documents. APCS have confirmed that they do not store payment card details or records of any criminal convictions.
APCS and our own network and servers were not compromised. Please note this only affects DBS checks that have been made online, not paper-based ones.
APCS have been contacting parishes where they know there has been a data breach. Not all PCCs will need to be contacted. If you haven’t received an email from APCS, then you are unlikely to have been affected, though you should continue to check your emails, including Spam, from them over the coming days.
The potential impact on any affected individuals may include identity theft. It is therefore best to advise people in your parish to remain vigilant to any signs of this taking place. Some helpful guidance is available on the ICO’s website: https://ico.org.uk/for-the-public/identity-theft/.
We are carrying out a risk assessment and have made the decision to report this incident to the Information Commissioner’s Office (the ICO) and the Charity Commission.
We take this matter extremely seriously and understand the distress and worry it will cause to many. Our team are working hard to keep in touch with parishes and answer questions and concerns. We are following up with APCS regularly and are committed resolving this issue promptly and effectively.
Information for Parishes
A large number of our parishes use APCS to carry out DBS checks. Should you receive an email directly from APCS to inform you of the data breach notification, you will need to report the matter to the Information Commissioner’s Office (see more advice below) and contact those whose data may have breached. The APCS will supply you with details of who has been affected.
What do I need to tell people whose data may have been breached?
- the name and contact details of the person in the parish who looks after data protection, or other contact point where more information can be obtained (eg PSO, PCC Secretary or Incumbent);
- a description of the likely consequences of the personal data breach such as:
- the possibility of receiving spam emails
- Emotional and reputational harm
- Personal information being sold to 3rd party advertisers
- Potential for identity theft
- if you are not sure what to add to your report please use any one or all of the above since they are real examples of potential consequences for a breach like this.
- a description of the measures taken or proposed to deal with the personal data breach (You may need to say that further advice will follow here once you have heard more from APCS.)
- advise them to continue to remain vigilant in managing their personal information online to minimise any potential risk, particularly if they are approached by any unknown individual or organisation that may not appear genuine and if you receive any phishing emails that contain harmful links or attachments.
The ICO also recommends that you advise individuals on the steps they can take to protect themselves, such as:
- reset passwords;
- always use strong, unique passwords; and
- look out for phishing emails or fraudulent activity on their accounts.
Notifying the ICO
To inform the ICO of a personal data breach, please see their pages on reporting a breach. These pages include a self-assessment tool and some personal data breach examples.
DBS Checks going forward
We taken the decision to stop using online applications for DBS checks until further information and advice has been received from the National Safeguarding Team.
Initially this suspension will be until 15 September 2025. If your DBS check is not urgent you may choose to hold the application for a few weeks by which point we hope we will have had more guidance from the NST. However, we will still be able to offer paper based DBS applications.
Please send all paper based applications to Siona.Jeffery@winchester.anglican. For those of you who have not previously used the paper based system, Siona is able to offer training via Zoom and also offer refresher training for anyone who needs it.
Support for individuals affected by the data breach:
The National Church Institutions are offering 12 months of free credit and web monitoring services, provided by Experian, to individuals within the Church of England affected by the breach. The Experian Identity Plus account helps detect possible misuse of personal data and provides people with identity monitoring support, focused on the identification and resolution of identity theft.
Access codes will be made available to our diocese to distribute and instructions about how you can access your Experian account will also be sent shortly.
Next steps
While there is no guarantee that your information won’t be misused, most people affected by data breaches do not experience any problems. The guidance above provides sensible precautions based on what information was accessed.
Please look out for a follow-up email with details about how to access the Experian credit monitoring service. We strongly encourage that you take this up.
If you wish to contact APCS directly, please do so on enquiries@accesspcs.co.uk or 0343 611 2727.
