We have been made aware of a data breach that has occurred involving data processed by Access Personal Checking Services (APCS) Ltd.
We have been made aware of a data breach that has occurred involving data processed by Access Personal Checking Services (APCS) Ltd, the provider that Activate Learning and most other colleges and universities currently use to process Disclosure and Barring Service (DBS) checks for HR purposes.
On 17 August 2025, APCS were notified by Intradev, their external software supplier, of a potential data breach. Intradev confirmed that they have been subject to unauthorised access and certain files that relate to personal data were copied from their systems during a recent cyberattack.
The data breach concerns data collected from December 2024 to Thursday 8 May 2025. The affected data is likely to include name, date of birth, email address, postal address, place of birth, gender, National Insurance Number, Passport details and Driving Licence. APCS have confirmed that they do not store payment card details or records of any criminal convictions.
APCS and our own network and servers were not compromised.
We are working closely with APCS who are conducting a thorough investigation to determine the full scope of the data involved. It is likely that this includes any data submitted for DBS applications in the period referred to above. APCS are only contacting data controllers (for example, Activate Learning) where they know there has been a data breach. We have been advised by APCS that we can continue using their services as normal.
The potential impact on any affected individuals may include identity theft. APCS are actively assessing the situation to understand the extent of the impact and will keep us informed of any significant developments.
We have carried out a risk assessment and have made the decision to report this incident to the Information Commissioner’s Office (the ICO).
We take this matter very seriously and APCS are committed to resolving it promptly and effectively. We will update you on any further action that may be required in due course. In the meantime, please continue to remain vigilant in managing your own personal information online to minimise any potential risk, particularly if you are approached by any unknown individual or organisation that may not appear genuine and if you receive any phishing emails that contain harmful links or attachments.
We advise of the following to guard against identity theft and other harms from compromise of your personal information:
- Practise vigilance. Examine monthly credit and bank statements. Are there new unknown or suspicious charges?
- Be on guard for red flags. Is there a sudden increase in credit inquiries or alerts? An interruption of automated payments to any of your accounts? These could be indicators of compromise of your identity and personal information.
- Protect your passwords. You may want to consider changing your passwords. Use different passwords for different websites, accounts and devices. Two-factor authentication is best. Regularly update security settings.
If you have any concerns, please speak to the data protection team.
Kind regards,
Tyron Bancroft
Group Head of Risk and Resilience and Senior Information Risk Owner (SIRO)