Affinity Learning Partnership, a UK education trust managing seven schools with over 650 employees, suffered a data breach originating from a cyberattack on its third-party software provider, Intradev, in August. The breach exposed sensitive employee data, including names, addresses, passport numbers, driving license details, National Insurance numbers, and background check records (e.g., DBS/QTS numbers). The attack was facilitated through OnlineSCR (Single Central Record Ltd), a service provider handling recruitment and criminal record checks for schools, which relied on Intradev’s compromised systems. The severity of exposure varied—some staff had only basic details (e.g., surnames) leaked, while others faced high-risk data compromise. Affinity notified affected employees, offered two years of CIFAS protective registration to mitigate fraud risks, and advised precautionary measures, though the ICO (Information Commissioner’s Office) did not mandate passport/driving license replacements. The incident underscores vulnerabilities in third-party supply chains, where attacks on service providers (e.g., Intradev) cascade to clients like schools, which often lack robust cybersecurity defenses. The breach highlights systemic risks in sectors holding sensitive personal data, particularly where budget constraints limit protective measures.
Source: https://www.theregister.com/2025/09/05/uk_schools_intradev_breach/
TPRM report: https://www.rankiteo.com/company/affinitylp
"id": "aff5264952090625",
"linkid": "affinitylp",
"type": "Breach",
"date": "8/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '650+ staff members (varies by '
'data exposure level)',
'industry': 'Education',
'location': 'UK',
'name': 'Affinity Learning Partnership',
'size': '650+ employees, 3,000+ students (ages 3–19)',
'type': 'Education Trust'},
{'customers_affected': 'Multiple schools and trusts '
'using OnlineSCR services',
'industry': 'Education/Recruitment',
'location': 'UK',
'name': 'OnlineSCR (Single Central Record Ltd)',
'type': 'Service Provider'},
{'customers_affected': 'Multiple clients, including '
'APCS and OnlineSCR',
'industry': 'Technology',
'location': 'Hull, UK',
'name': 'Intradev',
'type': 'Software Developer'},
{'customers_affected': 'Employers using APCS for '
'criminal record checks',
'industry': 'Background Checks',
'location': 'UK',
'name': 'Access Personal Checking Services (APCS)',
'type': 'Service Provider'}],
'customer_advisories': ['Staff advised to monitor for identity theft; some '
'may choose to replace compromised documents (e.g., '
'passports, driving licenses), though ICO guidance '
'suggests this is not necessarily required.'],
'data_breach': {'data_exfiltration': 'Likely (files and systems reviewed by '
'Intradev)',
'personally_identifiable_information': ['Names',
'Addresses',
'Passport numbers',
'Driving license '
'details',
'National Insurance '
'numbers',
'QTS numbers'],
'sensitivity_of_data': 'High (includes passport numbers, '
'driving license details, National '
'Insurance numbers, and DBS check '
'data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Sensitive Background Check '
'Data']},
'date_detected': '2023-08-04',
'description': 'A major UK education trust, Affinity Learning Partnership, '
'warned staff that their personal information may have been '
'compromised following a cyberattack on software developer '
'Intradev in August 2023. The breach originated with Intradev, '
'affecting its customer OnlineSCR (Single Central Record Ltd), '
'which provides recruitment and DBS checks for UK schools. '
'Sensitive staff data, including names, addresses, passport '
'numbers, driving license details, and National Insurance '
'numbers, may have been exposed. Affinity offered affected '
'staff two years of CIFAS protective registration to mitigate '
'fraud risks.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust among '
'staff and schools',
'Negative media coverage (e.g., The '
'Register)'],
'data_compromised': ['Names',
'Addresses',
'QTS numbers',
'Passport numbers',
'Driving license details',
'National Insurance numbers',
'Background check details'],
'identity_theft_risk': 'High (due to exposure of passport numbers, '
'driving license details, and National '
'Insurance numbers)',
'legal_liabilities': ['Potential ICO investigation',
'Possible legal actions from affected staff'],
'operational_impact': ['Potential identity theft risks for staff',
'Need for additional fraud prevention '
'measures (e.g., CIFAS registration)',
'Disruption to recruitment and DBS check '
'processes'],
'systems_affected': ["Intradev's bespoke software systems",
"OnlineSCR's recruitment and DBS check "
'systems']},
'initial_access_broker': {'high_value_targets': ["OnlineSCR's repository of "
'staff recruitment and DBS '
'check data']},
'investigation_status': 'Ongoing (Intradev conducting detailed investigation; '
'ICO response pending)',
'lessons_learned': ['Third-party service providers can introduce significant '
'security risks, even for organizations with robust '
'direct security measures.',
'Education institutions are attractive targets for '
'cybercriminals due to valuable personal data and limited '
'IT security budgets.',
'Proactive measures like CIFAS registration can help '
'mitigate post-breach risks for affected individuals.'],
'post_incident_analysis': {'corrective_actions': ['Offered CIFAS protective '
'registration to affected '
'staff',
'Ongoing investigation by '
'Intradev to review '
'affected files and '
'systems'],
'root_causes': ['Third-party vulnerability '
"(Intradev's systems compromised)",
'Potential lack of adequate '
'security controls for sensitive '
'data handled by '
'OnlineSCR/Intradev']},
'recommendations': ['Conduct thorough third-party risk assessments for all '
'service providers handling sensitive data.',
'Implement multi-layered security controls, including '
'encryption for highly sensitive data like passport and '
'National Insurance numbers.',
'Develop and test incident response plans that include '
'communication strategies for affected stakeholders.',
'Provide staff training on recognizing and responding to '
'data breach notifications and fraud risks.'],
'references': [{'source': 'The Register'},
{'source': 'Browne Jacobson Law Firm Blog'}],
'regulatory_compliance': {'legal_actions': ['Potential ICO investigation',
'Possible legal claims from '
'affected individuals'],
'regulations_violated': ['Potential GDPR violations '
'(UK GDPR)'],
'regulatory_notifications': ['ICO notified '
'(awaiting response)']},
'response': {'communication_strategy': ['Notified all affected staff via '
'letter',
'Included precautionary steps and '
'support options',
'Media statements (e.g., The '
'Register)'],
'incident_response_plan_activated': 'Yes (Intradev conducting '
'detailed investigation)',
'remediation_measures': ['Offered 2 years of CIFAS protective '
'registration to affected staff',
'Provided precautionary steps and '
'additional support options to staff'],
'third_party_assistance': ['CIFAS (protective registration for '
'affected staff)']},
'stakeholder_advisories': ['Affinity Learning Partnership notified all '
'affected staff via letter with precautionary '
'steps and support options.'],
'title': 'Cyberattack on Intradev Affects UK Education Trust (Affinity '
'Learning Partnership) via OnlineSCR',
'type': ['Data Breach', 'Third-Party Breach', 'Cyberattack']}