APCS Data Breach

We have been notified that one of the suppliers of Access Personal Checking Services Ltd (APCS) has been subject to a significant data breach. ACPS carries out Data and Barring Services (DBS) checks on behalf of the National Church Institutions (NCIs), some Dioceses and Parochial Church Council (PCCs). The breach has affected clergy, lay ministers, volunteers, and staff

This breach has impacted people across a number of Church of England Dioceses and parishes who have been subject to a recent DBS check. APCS carries out DBS checks on behalf of some Dioceses and PCCs, and the National Church Institutions (NCIs).

APCS specialise in processing disclosures for individuals and small business owners, large public and private sector companies, organisations, and recruitment agencies.

APCS have stated that their external software supplier, Intradev, notified them on 17 August that their system had been compromised between the 31 July 2025 and 15 August 2025, and certain files containing personal details were copied. APCS were provided with copies of the compromised data on Monday 18 August. APCS’ own network and servers were not compromised.

According to the information we have received from APCS, we believe the breach mainly concerns data collected between December 2024 and May 2025 (with the possibility of some falling outside this timeframe).

Yes. APCS provides Data and Barring Services (DBS) to many organisations. This breach also impacts those bodies.

APCS has started the process of notifying those individuals affected by the breach. APCS has said that the breach only affects those individuals who were subject to a DBS check broadly between the 1 December 2024 to 9 May 2025, but this is an evolving situation, and we will keep you updated as we receive more information. We believe that all PCCs affected have been contacted – either directly by APCS or by the diocesan data team. PCCs will be responsible for contacting their affected individuals directly.

No. The two incidents are entirely unconnected. A statement by the Church of England on the Redress Scheme data breach can be found here.

We are currently awaiting more details from APCS. However, we understand that the breach may have affected some or all the following information:

• Name
• Phone number
• Date of birth
• Email address
• Postal address
• Place of birth
• National Insurance number
• Passport number
• Driving licence number

It does not include:

• Financial details
• Passwords
• Medical information
• Information on any disclosures (e.g. criminal records)
• Information about protected characteristics (e.g., ethnicity, disability, sexual orientation, marital status)

The information that was accessed was in text format only. No documents or images were affected.

• All those that we are aware have been affected by the data breach have been contacted with advice and support, either directly (for those whose DBS checks were submitted by the Diocese) or by informing their PCC (for those whose DBS checks were submitted by their parish).
• All affected individuals are being offered 12 months of free access to an enhanced credit checking and monitoring service from Experian.
• All DBS checks with APCS have been paused until further notice.
• This incident has been reported to the Information Commissioner’s Office (ICO). We have been informed that the Charity Commission are aware of the issue on a national basis.
• We will continue to update our website with any relevant new guidance – and will be in touch directly with those affected, as necessary.
• We will be reviewing our response to this situation, to see what might be learned and how we might better support people in future.

Yes. PCCs should report separately to the ICO if they have directly accessed the service i.e. if they have been uploading data to APCS themselves (this makes them a ‘data controller’ under Data Protection Law). This should be done within 72 hours of becoming aware of the breach, although if this deadline has been missed a report should still be made as soon as possible.

If the DBF have been uploading data on their behalf, the PCC does not need to report to the ICO, as the DBF has been acting as the lead data controller in that situation and a report has already been made by the DBF. You can assess this by checking who APCS is corresponding with – if they have contacted the PCC directly, then it is likely that the PCC is a data controller – and therefore must report to the ICO.

Whether the PCC is part of the ‘national deal’ for DBS checks is not the issue for reporting to the ICO – the key issue is who the data controller is, so if the PCC have their own contract with APCS and have been contacted, they must report it.

The 72-hour window is based on when your organisation became aware of the data breach (i.e. when the email sent from APCS was seen). If you have missed the 72-hour deadline, you can explain that the reason for the delay is because you were fact-finding, but it is best if you can do this as close to the 72-hour window as possible. PCCs should not delay in making a report in order to carry out further investigations.

Data controllers are required to report a high-risk data breach (such as this one) to the ICO. A high-risk data breach is one which has a significant effect on the rights and freedoms of data subjects. All parties are accountable for taking steps to mitigate the effects of the breach where possible.

The Charity Commission has informed the National Church Institutions that due to the large number of Serious Incident Reports they have received on this matter, trustees in PCCs and diocesan boards of finance do not need to report to the Charity Commission “if in substance they simply wish to report the same incident in materially similar terms.”

Access to an enhanced credit checking and monitoring service from Experian is being made available for 12 months for those affected. If you have been affected by this data breach and you have not received a code to access your Experian Identity Plus account, please contact the diocesan data team via [email protected] More information about the service available from Experian is contained within these FAQs.

Advice about what additional steps you can take, and the resources available to help protect you from fraud, are also included in these FAQs.

We are currently in the process of considering a future alternative and confirming a new DBS check provider. We will be able to update you as soon as the new system is ready for use. Until then we have the following advice:

Renewals of existing DBS checks

Where a check is only required as a renewal of an existing check, these can be paused until an alternative provider has been confirmed. See below for guidance about what to do when someone has completed their application on the APCS system and is only awaiting an ID check.

If you have finished entering all the information required for your DBS application, and just awaiting ID verification, this can still be carried out by your PSO if you are comfortable with completing your application using the APCS system. However, we cannot guarantee that any data submitted prior to the ID verification stage has not been exposed to the breach.

If you have started, but not finished entering the information for your application, we recommend that you wait for a new provider of DBS applications to be in place before proceeding. The Diocese is currently exploring options for a new DBS check provider and will share details when this has been confirmed.

Yes, we are in the process of confirming a new provider. Details will be available as soon as the system is ready to use. You will be able to find out more here.

[email protected]

The current advice from the national Church is that it is not necessary to replace driving licences or passports, as the images associated with these documents were not breached.

We are encouraging all those who are potentially affected by this to sign up to the Experian service. This service, provided free to those affected for 12 months, will help you to keep an eye out for any changes that suggest someone is using your data improperly – for instance, you will get an alert if someone sets up a new credit agreement. If you become the victim of fraud, you will be offered help through Experian’s caseworker service to get back on track and sort out your credit file.

In addition, you should look out for any unwanted calls, emails or contact to you directly, including monitoring your bank account. You might find it helpful to talk to your bank now to let them know of the situation. Some banks are able to put in place additional identification verification checks for making/setting up payments, to help keep your money safe.

• Stay alert to unexpected emails, calls, text messages or letters that mention personal details about you
• Never give personal information to unsolicited callers, even if they seem to know details about you
• Verify any unexpected contact by calling the organisation directly using their official number
• Monitor for new applications made in your name:
  • Check your credit report – see below for information about the service that will be available to you from Experian shortly.
  • Look for any new accounts, credit searches, or applications in your name that you did not make.
  • Inform your bank, building society and credit card company of any unusual transactions on your statement.

Action Fraud 
The government has put together this checklist to help on the steps to take to repair your identity and prevent re-victimisation.

The National Fraud and Cyber Crime Reporting Centre has a wealth of advice and resources on the Action Fraud website:

• www.actionfraud.police.uk
• Call Action Fraud on 0300 123 2040

GOV.UK

• Advice from GOV.UK on the actions you should take if you have shared personal information

Financial Ombudsman Service
If you have lost money because of fraud or a scam – and you are unhappy with how your bank or payment service provider handled things – The Financial Ombudsman Service may be able to help.

• www.financial-ombudsman.org.uk/consumers/complaints-can-help/fraud-scams

General advice

• www.citizensadvice.org.uk
• Call Citizens Advice on 0808 223 1133

To report the theft or loss of post

• Royal Mail website: www.royalmail.com/report-a-crime
• Or call Royal Mail on 08457 740 740

Please do not offer any comment and refer them to our communications team [email protected]

If you have been affected by the data breach, you do not need to request this – the diocesan data team is getting in touch proactively with all individuals and PCCs affected to provide codes that will enable individuals to access this service.

Full details of the support offered by the Experian Identity Plus subscription are available in this guide.

If you are not sure where to start, take a look at this guide from Experian.

Your credit report has different sections. For instance, it will show information about you, any credit agreements you have (e.g. your mortgage or with a phone company), your financial connections (e.g. spouses/partners), and details of any missed/overdue payments on credit agreements.

At the end of the 12-month period the individuals will get an email to say their subscription is coming to an end and outlining the options available to them.

Through your Experian Identity Plus subscription, you will be offered daily alerts as to whether something has changed within your credit report. The subscription also allows you to lock your Experian credit report to help stop fraudsters taking out agreements in your name.

When you log into Experian using the code we have given you, and you are using your personal email address, you may be told that you already have an account under that username. In this case, either continue to use your existing account (if you are still paying for it) and let us know that you do not need the code – or create a new account using a different email address.

If you need further assistance, please call the Experian support line on 03444 818182.

When you create the account, you will be asked for your email address as a username, you should use your own personal email account because reports from Experian contain your own personal financial information which should not be held in a work email inbox.

You may be asked for date of birth and address so that Experian can identify you, and they may ask you for additional data – for example, your mother’s name as an additional security check.

They will already know some of your financial arrangements e.g. mortgage information and bank account details etc, or other financial arrangements where you have had to get a credit check, and they will ask you to confirm these.

Experian needs these details to ensure that it can monitor all your financial arrangements, however, it also collects data for marketing purposes.

You should read their Privacy Notice here: Experian Consumer Privacy Policy

To opt out of marketing click here: Opt out by marketing channel and industry sector – Experian Consumer Information Portal