Access Personal Checking Services (APCS)

Access Personal Checking Services (APCS), a leading UK provider of criminal record checks (DBS checks) for employers, suffered a data breach originating from a third-party software developer, Intradev. The breach exposed customers' basic personal information, passport details, driving license data, and National Insurance numbers, though financial information was reportedly not compromised. APCS, which serves over 19,000 organizations including sectors like healthcare, finance, and child/vulnerable adult services notified affected customers via email. The attack was detected on August 4, with Intradev (NCSC Cyber Essentials-certified) confirming unauthorized malicious activity in its systems. While the exact attack vector (e.g., ransomware) remains unconfirmed, the incident was escalated to the ICO and Action Fraud. The scope of the breach, including the number of impacted individuals, is still under investigation. The compromised data could enable identity fraud or phishing, posing risks to both employees and customers whose sensitive records were processed through APCS’s DBS checks.

Source: https://www.theregister.com/2025/08/22/apcs_breach/

TPRM report: https://www.rankiteo.com/company/apcs-dbschecks

"id": "apc239082325",
"linkid": "apcs-dbschecks",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'unknown (works with 19,000+ '
                                              'organizations)',
                        'industry': 'background screening / criminal record '
                                    'checks',
                        'location': 'UK',
                        'name': 'Access Personal Checking Services (APCS)',
                        'type': 'private company'},
                       {'industry': 'IT services / bespoke software',
                        'location': 'Hull, UK',
                        'name': 'Intradev',
                        'type': 'software development company'}],
 'customer_advisories': 'APCS sent breach notifications to affected customers',
 'data_breach': {'data_exfiltration': 'likely (under investigation)',
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'high (identity verification data)',
                 'type_of_data_compromised': ['personal identifiable '
                                              'information (PII)',
                                              'government-issued '
                                              'identification (passport, '
                                              'driving license)',
                                              'national insurance numbers']},
 'date_detected': '2023-08-04',
 'description': 'A leading UK provider of criminal record checks for '
                'employers, Access Personal Checking Services (APCS), is '
                'handling a data breach originating from a cyberattack on its '
                'third-party development partner, Hull-based Intradev. The '
                'breach exposed personal data, including passport, driving '
                'license, and national insurance details, of APCS customers. '
                'The incident was detected on August 4, and the source of the '
                'intrusion remains under investigation. Intradev, certified '
                "under the UK NCSC's Cyber Essentials program, reported the "
                'incident to authorities, including the ICO and Action Fraud. '
                'APCS works with over 19,000 organizations, though the exact '
                'number affected is unclear.',
 'impact': {'brand_reputation_impact': 'potential reputational damage '
                                       '(unquantified)',
            'data_compromised': ['basic personal information',
                                 'passport details',
                                 'driving license details',
                                 'national insurance details'],
            'identity_theft_risk': 'high (personal and identification data '
                                   'exposed)',
            'legal_liabilities': 'potential (under investigation by ICO)',
            'payment_information_risk': 'none (APCS confirmed financial '
                                        'information was not compromised)'},
 'investigation_status': 'ongoing (source of intrusion and full scope under '
                         'investigation)',
 'references': [{'source': 'The Register',
                 'url': 'https://www.theregister.com'}],
 'regulatory_compliance': {'regulations_violated': ['UK GDPR',
                                                    'Data Protection Act 2018 '
                                                    '(potential)'],
                           'regulatory_notifications': ['Information '
                                                        "Commissioner's Office "
                                                        '(ICO)',
                                                        'Action Fraud']},
 'response': {'communication_strategy': 'customer notifications sent by APCS; '
                                        'statements to The Register',
              'containment_measures': 'initial containment implemented '
                                      'immediately',
              'incident_response_plan_activated': True,
              'law_enforcement_notified': True,
              'remediation_measures': 'detailed investigation ongoing, '
                                      'including review of affected '
                                      'files/systems'},
 'stakeholder_advisories': 'APCS notified customers via email; Intradev '
                           'liaising with ICO and Action Fraud',
 'title': 'Data Breach at Access Personal Checking Services (APCS) via '
          'Third-Party Vendor Intradev',
 'type': ['data breach', 'third-party breach']}