Security Updates

Latest Update

We want to reassure all our customers that our systems remain completely secure and have not been compromised in any way. You can continue to use APCS’s services as normal, and you will continue to receive the excellent customer service experience you are accustomed to.

We understand there is concern about this incident, which took place outside of our own internal servers. However, we want to emphasise that this does not affect our current operational systems in any way. We have acted swiftly to investigate the data found on the third-party’s systems and have informed affected organisations as quickly as possible. To help support you through this process, we have provided a sample template that you can use with your data subjects.

We have answered questions which are currently within our immediate knowledge and are continuing investigations to understand the full extent of the situation. Unfortunately, some of these investigations are outside of our control as they are being carried out by the third party subject to the breach and also the police.

In the meantime, please find below an updated list of frequently asked questions to address the most common queries we have received:

Frequently Asked Questions

Our systems remain robust and have not been breached. We continue to operate as normal and you can use our services with complete confidence. This incident involved a third-party software provider and was not directed at APCS.

Q: Was APCS specifically targeted in this cyber attack?
A: The cyber attack was not directed at APCS directly. It was aimed at our third-party software provider, which serves many clients from a diverse range of industries.

Q: Has any criminal records information been compromised?
A: Our understanding is that no information relating to criminal records has been exposed. At this early stage of the investigation, we can confirm that the compromised data is limited to that which has been notified to you already.

Q: What is the current status of the data held by the third-party software provider?
A: We have been informed by the third-party software provider that this data has been deleted.

Q: Do you have any evidence that the compromised data has been misused?
A: We currently have not received any evidence as of 15th September 2025 or confirmation that the data has been published on the dark web and have not had any reported records of identity theft. However, the police are conducting an ongoing investigation.

Q: What key areas are being investigated in this data breach?
A: The ongoing investigation by the third-party software provider is focused on the following key areas:

• Data storage practices – specifically, how the data came to be stored on their servers when no transfer should have occurred;
• Status of the stolen data – including whether it has been sold or otherwise distributed;
• Law enforcement involvement – A police investigation is underway to identify those responsible for the breach.

Q: Are the police involved in this investigation?
A: Yes, a police investigation is underway to identify those responsible for the breach.

Q: Have you engaged legal experts to review this incident?
A: We have engaged specialist commercial lawyers to conduct a thorough review of our third-party relationships and to provide recommendations where necessary. We are also liaising directly with the legal advisors of the third-party software provider.

Q: Are you strengthening your third-party contracts?
A: As part of this process, we are working closely with our legal advisors to ensure all third-party contracts are updated and strengthened where and if they consider necessary. We wish to reiterate that we are confident that our relationships with third parties are secure and this recent attack is not reflective of how secure our practices are.

Q: What additional measures have you implemented for data governance?
A: We have appointed an external specialist Data Protection Officer to further enhance our data governance. We will share more updates on this appointment and other developments as they become available.

Q: Can individuals request deletion of their data?
A: Individuals can make such requests, and we can remove the data from our internal servers. However a hard copy extraction of the data which was subject to the cyber-attack was delivered up by third-party software provider. This data is being retained and preserved for law enforcement purposes and to support the ongoing investigation. Once this is complete, the data will be destroyed.

Q: What is your current position on credit monitoring and compensation?
A: We are currently exploring whether credit monitoring can be offered. In respect of compensation, we suggest that individuals retain information in respect of any losses. As we have a legal team instructed who will be dealing with claims, we will not be responding to requests for compensation until the outcome of the investigation as liability has not yet been determined.

Frequently Asked Questions

(More questions and answers will be added over time)

Q: Can we continue using APCS services safely?
A: Yes, absolutely. It is important to note that our systems were not compromised and they were not the subject of a cyber-attack. We remain fully operational and our own servers and systems remain secure. You can continue using our services normally with confidence.

Q: Was this attack targeted at our organisation?
A: No. This was a separate attack on a third party’s internal systems which are separate from our own. The third party provides software services as part of their business.

Q: What was the cause of the unauthorised access to the third party systems?
A: We were informed by the third party that the unauthorised access was the result of a malicious cyber-attack by an external entity. Investigations are still ongoing as to the detail of the attack.

Q: Have you reported this to the ICO? What’s the reference number?
A: Yes, we reported this on 18th August 2025 as a precautionary measure. ICO Reference: IC-415196-Q7C6. However, as Data Controllers, you must make your own ICO report if the breach poses risk to individuals’ rights and freedoms. You can reference our number to help the ICO understand these reports relate to the same underlying incident.

Q: Why did you contact our account manager instead of our Data Protection Officer (DPO)?
A: We don’t specifically hold DPO contact details on our systems. We sent the notification to the contact we hold as the manager for your organisation account. We specifically instructed them to share the information to your DPO.

Q: What should we tell our staff about this incident?
A: You can use or adapt the Data Breach Notification Template we provided which includes risk-based messaging depending on which data categories were affected. Further information for your data subjects on how to protect themselves from the impact of a data breach can be found on the NCSC website www.ncsc.gov.uk/guidance/data-breaches.

Q: What data was actually compromised?
A: Where we have been provided with confirmation from the third party regarding the kind of data that has been compromised, we have provided that data directly to the customer via an Excel Spreadsheet, which was prepared by us – the spreadsheet contains details of the data that was compromised. The spreadsheet itself was not compromised but prepared by us as a means of effectively communicating the nature of the data.

Q: What data was potentially compromised?
A: No passwords, banking details, account access information, criminal conviction information, or photographic material (passport/driving licence photos) were compromised. However, the nature of the information potentially compromised includes national insurance numbers, passport numbers and driving licence details.

Q: Why did the third party have our data?
A: It is currently being investigated as to how our data was made available on the third party’s systems. We wish to clarify that the third-party contractor was contracted to provide software services only. We will update this page when our investigation concludes.

Q: What certification does APCS have?
A: We have ISO 27001 and Cyber Essentials Plus certification. You can view these by following the links below. We have also included a link to our ICO Data Protection Registration Certificate.

• www.onlinecrbcheck.co.uk/docs/ISO-27001-Certificate.pdf
• www.onlinecrbcheck.co.uk/docs/Cyber-Essentials-Plus-Certificate.pdf
• www.onlinecrbcheck.co.uk/docs/ICO-Data-Protection-Registration-Certificate.pdf

Q: What happens next?
A: We will continue to publish updates on this page as information becomes available.

Contact Information

For questions about your organisation’s specific affected data:
Email: [email protected]

Please note: Due to high volume, we may not be able to respond individually to every query. This page addresses the most common questions and will be updated regularly with new information.

Description of the Incident

On 17th August 2025, we were notified by our third party software supplier that they had been a victim of a cyber-attack, and an area of their system had been subject to unauthorised access. The incident itself occurred on 31st July 2025 and enquiries are being made into the delay in reporting to us. A preliminary report from the third party set out that copies of a number of files were obtained and that some of these files contained personal data. We are aware that the third party had copies of some of our data on their own servers, and we are actively investigating how and why this occurred. Our investigations are ongoing to determine how the data was extracted and impacted by the cyber-attack. We are committed to ensuring the highest standards of data protection and are taking all necessary steps to address this situation.

We want to reassure our customers that our internal operational systems were not compromised and remain fully secure. We continue to uphold our ISO 27001 certification and Cyber Essentials Plus accreditation. These certifications reflect our rigorous security measures and our dedication to maintaining the highest level of data protection.

We remain committed to transparency and security. Organisations can continue using our services with complete confidence. We are in communication with the ICO in respect of the data breach and are also in communication with the third party. We will continue to provide updates on this webpage as the investigation develops.

What Remedial Actions Have Been Taken

Immediate Actions confirmed by Third Party:

• All servers were taken offline immediately after the breach was discovered
• External IP addresses have been changed
• External routers have been reconfigured
• All servers are being rebuilt with additional security measures installed
• All domain passwords have been changed

Actions by APCS:

• Immediate security review of our own systems (confirmed not compromised)
• Restricted access credentials for the third party personnel while under investigation
• Implemented additional access controls and monitoring
• Reported the breach to the Information Commissioner’s Office (ICO)
• Comprehensive analysis of all compromised data to identify affected individuals

Data Categories Compromised

We have provided a list of the compromised data categories for each data subject to the relevant data controllers. Please note: Only text data was affected – no passwords, banking details, or account access information were compromised. No photographic material has been compromised (e.g. passport / driving licence photos). Only data entered before 9 May 2025 is potentially affected.

Your Obligations Under UK GDPR

If you are the data controller, you are required to:

1. Assess risk to your data subjects – those with National Insurance numbers, driving licence numbers, or passport numbers face higher potential risk of impersonation for new applications
2. Notify the ICO within 72 hours if the breach is likely to result in a risk to individuals’ rights and freedoms
3. Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms
4. Provide appropriate guidance on protective steps they can consider

Support Package

To minimise your administrative burden and ensure appropriate guidance for your data subjects:

1. We have prepared a Data Breach Notification Template for data controllers to customise and send to affected data subjects
2. We have provided the list of specific data subjects affected in each organisation and the exact data categories compromised for each individual

Risk Categorisation for Your Planning

• Potentially Higher Impact (Consider priority notification): anyone with National Insurance number, driving licence number, or passport number affected
• Moderate Impact: those with full personal details – may receive targeted contact attempts
• Minimal Impact: basic contact details only – primarily spam or marketing risk

Next Steps

1. Review the list of data subjects we have provided to identify exactly which data subjects are affected and the compromised data for each
2. Assess risk to your data subjects based on the spreadsheet
3. Customise the notification template with your organisation’s details
4. Send notifications to higher-risk individuals without undue delay
5. Consider your ICO notification obligations based on your risk assessment

Support Available

• ICO breach reporting and advice: https://ico.org.uk/for-organisations/report-a-breach
• ICO helpline: 0303 123 1113

We recognise the severity of this incident and will do our best to support you through this process. The materials provided follow a measured approach to meet obligations while focusing on actual risks.

We will publish updates on this page as more information becomes available and to address frequently asked questions. Please check this page for further updates as we may not be able to respond individually to every request.

Please direct any further enquiries regarding this incident to [email protected].