We are now aware of a data breach that has occurred involving data processed by Access Personal Checking Services (APCS) Ltd – the provider the diocese and most parishes currently use to process Disclosure and Barring Service (DBS) checks for parish officers.
On 17 August 2025, APCS were notified by Intradev – their external software supplier – of a potential data breach. Intradev confirmed that they have been subject to unauthorised access and certain files that relate to personal data were copied from their systems during a recent cyber-attack.
The data breach concerns data collected from December 2024 to 8 May 2025. APCS have confirmed that they do not store payment card details or records of any criminal convictions. The affected data is likely to include name, date of birth, email address, postal address, place of birth, gender, National Insurance Number, Passport details and Driving Licence. APCS have confirmed that they do not store payment card details or records of any criminal convictions.
APCS and our own network and servers were not compromised.
We are working closely with APCS who are conducting a thorough investigation to determine the full scope of the data involved. It is likely that this includes any data submitted for DBS applications in the period referred to above. APCS are only contacting data controllers (i.e. the diocese and PCCs) where they know there has been a data breach. Not all PCCs will need to be contacted. We have been advised by APCS that we can continue using their services as normal.
The potential impact on any affected individuals may include identity theft. APCS are actively assessing the situation to understand the extent of the impact and will keep us informed of any significant developments.
Information for Incumbents, PCC Secretaries, Parish Safeguarding Officers, Safeguarding – DBS Contact and Churchwardens:
We are aware that a number of parishes use APCS to carry out DBS checks, as recommended by the Diocese. Should you receive an email directly from APCS to inform you of the data breach notification, you may need to report the matter to the Information Commissioner’s Office (ICO) and notify potentially affected parish officers and others for who you have carried out DBS checks.
If you are contacted by APCS it is because there are parish officers for who you have carried out a DBS check between December 2024 and May 2025.
We have carried out a risk assessment and have made the decision to report this incident to the Information Commissioner’s Office (the ICO).
We take this matter very seriously and APCS are committed to resolving it promptly and effectively. We will update you on any further action that may be required in due course. In the meantime, please continue to remain vigilant in managing your own personal information online to minimise any potential risk, particularly if you are approached by any unknown individual or organisation that may not appear genuine and if you receive any phishing emails that contain harmful links or attachments.
If you have any questions or concerns in relation to this email, please contact Diocesan colleagues via email at: [email protected]
