Security Updates

Frequently Asked Questions

(More questions and answers will be added over time)

Q: Can we continue using APCS services safely?
A: Yes, absolutely. It is important to note that our systems were not compromised and they were not the subject of a cyber-attack. We remain fully operational and our own servers and systems remain secure. You can continue using our services normally with confidence.

Q: Was this attack targeted at our organisation?
A: No. This was a separate attack on a third party’s internal systems which are separate from our own. The third party provides software services as part of their business.

Q: What was the cause of the unauthorised access to the third party systems?
A: We were informed by the third party that the unauthorised access was the result of a malicious cyber-attack by an external entity. Investigations are still ongoing as to the detail of the attack.

Q: Have you reported this to the ICO? What’s the reference number?
A: Yes, we reported this on 18th August 2025 as a precautionary measure. ICO Reference: IC-415196-Q7C6. However, as Data Controllers, you must make your own ICO report if the breach poses risk to individuals’ rights and freedoms. You can reference our number to help the ICO understand these reports relate to the same underlying incident.

Q: Why did you contact our account manager instead of our Data Protection Officer (DPO)?
A: We don’t specifically hold DPO contact details on our systems. We sent the notification to the contact we hold as the manager for your organisation account. We specifically instructed them to share the information to your DPO.

Q: What should we tell our staff about this incident?
A: You can use or adapt the Data Breach Notification Template we provided which includes risk-based messaging depending on which data categories were affected. Further information for your data subjects on how to protect themselves from the impact of a data breach can be found on the NCSC website www.ncsc.gov.uk/guidance/data-breaches.

Q: What data was actually compromised?
A: Where we have been provided with confirmation from the third party regarding the kind of data that has been compromised, we have provided that data directly to the customer via an Excel Spreadsheet, which was prepared by us – the spreadsheet contains details of the data that was compromised. The spreadsheet itself was not compromised but prepared by us as a means of effectively communicating the nature of the data.

Q: What data was potentially compromised?
A: No passwords, banking details, account access information, criminal conviction information, or photographic material (passport/driving licence photos) were compromised. However, the nature of the information potentially compromised includes national insurance numbers, passport numbers and driving licence details.

Q: Why did the third party have our data?
A: It is currently being investigated as to how our data was made available on the third party’s systems. We wish to clarify that the third-party contractor was contracted to provide software services only. We will update this page when our investigation concludes.

Q: What certification does APCS have?
A: We have ISO 27001 and Cyber Essentials Plus certification. You can view these by following the links below. We have also included a link to our ICO Data Protection Registration Certificate.

• www.onlinecrbcheck.co.uk/docs/ISO-27001-Certificate.pdf
• www.onlinecrbcheck.co.uk/docs/Cyber-Essentials-Plus-Certificate.pdf
• www.onlinecrbcheck.co.uk/docs/ICO-Data-Protection-Registration-Certificate.pdf

Q: What happens next?
A: We will continue to publish updates on this page as information becomes available.

Contact Information

For questions about your organisation’s specific affected data:
Email: [email protected]

Please note: Due to high volume, we may not be able to respond individually to every query. This page addresses the most common questions and will be updated regularly with new information.

Description of the Incident

On 17th August 2025, we were notified by our third party software supplier that they had been a victim of a cyber-attack, and an area of their system had been subject to unauthorised access. The incident itself occurred on 31st July 2025 and enquiries are being made into the delay in reporting to us. A preliminary report from the third party set out that copies of a number of files were obtained and that some of these files contained personal data. We are aware that the third party had copies of some of our data on their own servers, and we are actively investigating how and why this occurred. Our investigations are ongoing to determine how the data was extracted and impacted by the cyber-attack. We are committed to ensuring the highest standards of data protection and are taking all necessary steps to address this situation.

We want to reassure our customers that our internal operational systems were not compromised and remain fully secure. We continue to uphold our ISO 27001 certification and Cyber Essentials Plus accreditation. These certifications reflect our rigorous security measures and our dedication to maintaining the highest level of data protection.

We remain committed to transparency and security. Organisations can continue using our services with complete confidence. We are in communication with the ICO in respect of the data breach and are also in communication with the third party. We will continue to provide updates on this webpage as the investigation develops.

What Remedial Actions Have Been Taken

Immediate Actions confirmed by Third Party:

• All servers were taken offline immediately after the breach was discovered
• External IP addresses have been changed
• External routers have been reconfigured
• All servers are being rebuilt with additional security measures installed
• All domain passwords have been changed

Actions by APCS:

• Immediate security review of our own systems (confirmed not compromised)
• Restricted access credentials for the third party personnel while under investigation
• Implemented additional access controls and monitoring
• Reported the breach to the Information Commissioner’s Office (ICO)
• Comprehensive analysis of all compromised data to identify affected individuals

Data Categories Compromised

We have provided a list of the compromised data categories for each data subject to the relevant data controllers. Please note: Only text data was affected – no passwords, banking details, or account access information were compromised. No photographic material has been compromised (e.g. passport / driving licence photos). Only data entered before 9 May 2025 is potentially affected.

Your Obligations Under UK GDPR

If you are the data controller, you are required to:

1. Assess risk to your data subjects – those with National Insurance numbers, driving licence numbers, or passport numbers face higher potential risk of impersonation for new applications
2. Notify the ICO within 72 hours if the breach is likely to result in a risk to individuals’ rights and freedoms
3. Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms
4. Provide appropriate guidance on protective steps they can consider

Support Package

To minimise your administrative burden and ensure appropriate guidance for your data subjects:

1. We have prepared a Data Breach Notification Template for data controllers to customise and send to affected data subjects
2. We have provided the list of specific data subjects affected in each organisation and the exact data categories compromised for each individual

Risk Categorisation for Your Planning

• Potentially Higher Impact (Consider priority notification): anyone with National Insurance number, driving licence number, or passport number affected
• Moderate Impact: those with full personal details – may receive targeted contact attempts
• Minimal Impact: basic contact details only – primarily spam or marketing risk

Next Steps

1. Review the list of data subjects we have provided to identify exactly which data subjects are affected and the compromised data for each
2. Assess risk to your data subjects based on the spreadsheet
3. Customise the notification template with your organisation’s details
4. Send notifications to higher-risk individuals without undue delay
5. Consider your ICO notification obligations based on your risk assessment

Support Available

• ICO breach reporting and advice: https://ico.org.uk/for-organisations/report-a-breach
• ICO helpline: 0303 123 1113

We recognise the severity of this incident and will do our best to support you through this process. The materials provided follow a measured approach to meet obligations while focusing on actual risks.

We will publish updates on this page as more information becomes available and to address frequently asked questions. Please check this page for further updates as we may not be able to respond individually to every request.

Please direct any further enquiries regarding this incident to [email protected].