A CYBER attack on software used by APCS, the company used by many dioceses to carry out Disclosure and Barring Service (DBS) checks, has left hundreds of parishioners at risk of identity theft.
The Church Times has confirmed that at least ten dioceses are affected: Derby, Ely, Guildford, Hereford, Newcastle, Oxford, Salisbury, Southwark, Winchester, and Worcester. The incident occurred around 31 July.
The diocese of Southwark confirmed on its website on Wednesday that the National Church Institutions were offering 12 months of free credit and web-monitoring services, provided by Experian, to individuals within the Church of England affected by the breach. It said: “The Experian Identity Plus account helps detect possible misuse of personal data and provides people with identity monitoring support, focused on the identification and resolution of identity theft.”
Southwark incumbents were contacted by the diocese on Friday evening. The email relayed that, on 17 August, APCS had been notified by its external software supplier, Intradev, of a “recent cyber-attack”, during which personal data had been stolen. The data breach concerned data collected from December 2024 to 8 May 2025. APCS had confirmed that it did not store payment card details or records of any criminal convictions.
APCS was “conducting a thorough investigation to determine the full scope of the data involved”, the email said. “It is likely that this includes any data submitted for DBS applications in the period referred to above. APCS are only contacting data controllers (i.e. the diocese and PCCs) where they know there has been a data breach. Not all PCCs will need to be contacted. We have been advised by APCS that we can continue using their services as normal.
“The potential impact on any affected individuals may include identity theft.”
The diocese itself has reported the incident to the ICO, but it has advised parishes contacted directly by APCS that they “may need to report the matter to the ICO and notify potentially affected parish officers and others for whom you have carried out DBS checks”.
It also advised recipients to “remain vigilant in managing your own personal information online to minimise any potential risk, particularly if you are approached by any unknown individual or organisation that may not appear genuine and if you receive any phishing emails that contain harmful links or attachments”.
The data affected are likely to include name, date of birth, email address, postal address, place of birth, gender, National Insurance number, passport details, and driving licences. Winchester diocese reported in an email to parishes that the data affected were text only — not images or documents.
On Wednesday, a Southwark diocesan spokeswoman said: “We understand that people will be deeply concerned about this data breach and are doing everything we can to offer clear and helpful guidance to individuals and PCCs affected.
“We are regularly updating those affected and adding any new guidance to our website. We understand that individuals will be given free access to Experian’s Identity Plus credit-monitoring service and we are working to make this available to people as quickly as possible.”
APCS describes itself as “the UK’s fastest DBS checking service”, working with more than 19,000 organisations. Different dioceses have been informed at different times: Ely was not alerted until Saturday evening, while Winchester was contacted on Thursday of last week. DCOs confirmed that dioceses were working to support affected parishes. But advice given varies according to diocese.
A notice on the Newcastle diocese’s website clarified that “PCCs are separate data controllers and therefore have a responsibility to manage data breaches.”
It advised parishes to contact APCS directly “to request an update on their investigation and to understand the extent to which individuals in your PCC may have been affected”. Those affected should consider the likely risks of identity theft and whether or not to contact individuals.
The advice from Salisbury diocese was that parishes affected should contact both the ICO and the individuals affected. The Charity Commission should also be informed, it said, and the national Church had advised parishes not to process any more DBS checks via APCS until further notice.
The diocese of Winchester provided detailed guidance on contacting both affected individuals — including what to say — and the ICO.
The diocese of Worcester has set up a dedicated email for support. Its advice online said that the data breach also concerned the month of November 2024.
Many dioceses confirmed to the Church Times that they were unaffected because they used the DBS checking services of Thirtyone:eight.
Concerned individuals can contact ACPS at enquiries@accesspcs.co.uk or 0343 611 2727.
