Data Breach – Data associated with DBS checks through Access Personal Checking Service (APCS)
We have been made aware that the software supplier of the external organisation that we use for conducting DBS checks (APCS) has had a significant cyber-attack resulting in a data breach. Personal information used to check identification has been compromised including names, dates of birth, addresses, and passport / driving licence details. APCS has confirmed that they do not store payment card details or records of any criminal convictions.
On 17 August 2025, APCS were notified by Intradev – their external software supplier – of a potential data breach. Intradev confirmed that they have been subject to unauthorised access and certain files that relate to personal data were copied from their systems during a recent cyber-attack.
We are led to believe the data breach concerns data collected between December 2024 and 8 May 2025.
APCS and our own diocesan network and servers were not compromised.
APCS is working with Dioceses affected and conducting a thorough investigation to determine the full scope of the data involved.
We understand that 13,000 people have been affected by the data breach across the country and this included 327 people who had completed a DBS check via the Hereford Diocesan Office. We are currently contacting all these people directly, so if you haven’t received an email from Kerry Preedy over the next couple of days then there is no indication any of your personal information is affected by this breach.
We are liaising with APCS to understand how many of our parishes complete their own DBS checks and may have been affected. If you have received an email from them and haven’t already let us know, please contact us so we can provide any support you might need in contacting individuals affected / completing reports. Carl Steventon has sent a separate email to all Parish Safeguarding Officers (text at the end of this statement).
If your parish completes its own DBS checks using APCS, and you have been notified that the parish is affected by the breach, it is important that the parish itself files a report with the Informational Commissioner’s Office (ICO) as well as with the Charity Commission – we can provide templates to help you do this if necessary. This is because PCC’s (like the DBF) are a separate legal entity, and we have been told it is not possible for the DBF or the national team to make a ‘blanket’ report for all affected legal entities. However, we have already notified the Information Commissioner’s Office and the Charity Commission, so they are aware of the breach.
We will provide an update if we have any further information but, in the meantime, please continue to remain vigilant in managing your own personal information online to minimise any potential risk, especially if you are approached by any unknown individual or organisation that may not appear genuine and if you receive any phishing emails that contain harmful links or attachments.
Support for individuals affected by the data breach:
The National Church Institutions is offering 12 months of free credit and web monitoring services, provided by Experian, to individuals within the Church of England affected by the breach. The Experian Identity Plus account helps detect possible misuse of personal data and provides people with identity monitoring support, focused on the identification and resolution of identity theft.
Access codes will be made available to our diocese to distribute and instructions about how you can access your Experian account will also be sent shortly.
We have set up a dedicated email for anyone to ask advice about this situation. If you have any concerns at all email us on dataprotection@hereford.anglican.org
-END-
TEXT OF CARL STEVENTON’S EMAIL TO PARISH SAFEGUARDING OFFICERS
Dear Parish Safeguarding Officer,
Subject: Important Update – APCS Data Breach and DBS Processing
You may be aware that Intradev, the software supplier to our DBS provider, Access Personal Checking Service (APCS), has suffered a data breach, affecting personal data collected between December 2024 and 8 May 2025.
A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This breach has impacted several dioceses, including the Diocese of Hereford.
APCS has a processing arrangement with the Diocese of Hereford to carry out DBS checks. Anyone affected by the breach will be contacted directly by the Diocese, who will provide full details of the breach and the next steps to take.
If your parish has used APCS independently (i.e. outside the checks processed by the Diocese), you may receive a separate communication directly from APCS. If you do receive such a message, you must:
1. Report the breach to the Information Commissioner’s Office (ICO) and Charity Commission (we can help with this).
2. Notify all individuals whose data may have been compromised.
APCS will provide you with the relevant information regarding those affected.
In the meantime, we have received guidance from the national church advising that no further DBS checks should be processed via APCS until further notice.
Please note:
• Do not verify any new DBS applications, even if reminder emails are received.
• Ensure all parish verifiers are made aware and instructed not to proceed with verifications.
We will issue further updates as soon as we receive more information from the national church or once assurances are provided regarding APCS’s data security.