Intradev Data Breach (2025)

"A CYBER attack on software used by APCS, the company used by many dioceses to carry out Disclosure and Barring Service (DBS) checks, has left hundreds of parishioners at risk of identity theft. The Church Times has confirmed that at least ten dioceses are affected: Derby, Ely, Guildford, Hereford, Newcastle, Oxford, Salisbury, Southwark, Winchester, and Worcester. The incident occurred around 31 July. The diocese of Southwark confirmed on its website on Wednesday that the National Church Institutions were offering 12 months of free credit and web-monitoring services, provided by Experian, to individuals within the Church of England affected by the breach. It said: “The Experian Identity Plus account helps detect possible misuse of personal data and provides people with identity monitoring support, focused on the identification and resolution of identity theft.” Southwark incumbents were contacted by the diocese on Friday evening. The email relayed that, on 17 August, APCS had been notified by its external software supplier, Intradev, of a “recent cyber-attack”, during which personal data had been stolen. The data breach concerned data collected from December 2024 to 8 May 2025. APCS had confirmed that it did not store payment card details or records of any criminal convictions. The data affected are likely to include name, date of birth, email address, postal address, place of birth, gender, National Insurance number, passport details, and driving licences. Winchester diocese reported in an email to parishes that the data affected were text only — not images or documents. A major UK education trust has warned staff that their personal information may have been compromised following a cyberattack on software developer Intradev in August. Affinity Learning Partnership, which operates seven schools and employs more than 650 staff members, sent notifications to affected employees after learning of the breach through one of its service providers, Single Central Record Ltd (also known as OnlineSCR). The trust's schools educate approximately 3,000 children and young people aged 3 to 19. Affinity Learning Partnership sent a message to affected employees, seen by The Register, cautioning that their data might have been leaked: We have written to all staff affected, including those with less data exposure, and included a list of precautionary steps to everyone. However, there is the potential that the impact on you could be more significant and we have been made aware of some additional support options. The breach originated with Hull-based software development company Intradev, which, as The Register exclusively revealed last month, detected a digital break-in on August 4. One of its customers, Access Personal Checking Services (APCS), a provider of criminal record checks for employers, warned its customers of potential data exposure. OnlineSCR, which is a sister company to APCS, specializes in recruitment and Disclosure and Barring Service (DBS) checks for UK schools, making it a repository for highly sensitive staff information including names, addresses, and background check details. It was also using Intradev's services for critical education sector functions."