Data breach affecting parishes

Last week, the DBS checking organisation APCS confirmed a data breach affecting the systems of its software contractors. We are aware that many parishes within the Diocese of Guildford have unfortunately been impacted by this breach, and they have been contacted by both us and the APCS with further information. APCS has a processing arrangement with parishes, the Diocesan Board of Finance and other organisations across the country to process DBS checks. APCS works with around 19,000 organisations including 17 dioceses.

The data breach was linked to malicious activity and relates to personal and sensitive information being processed for DBS checks between December 2024 and May 2025.

All affected parishes should have received an email from APCS by now, but they should continue to check emails over the coming days.

Parishes who have received an email from APCS, need to act to notify the Information Commissioner’s Office (ICO) of the breach and contact those whose data has been breached. The APCS will supply you with details of who has been affected, and the Diocesan Team has sent a template on the information to include in both the ICO report and to affected individuals.

Watch this video on how on to report a data breach.

ICO breach report needs to be done within 72 hours of notification or as soon as possible by clicking here.

We know that this news will be concerning to many and cause alarm to the individuals whose data has been compromised. The situation is deeply regrettable, and the Diocesan Team will remain in close contact with parishes and provide support wherever possible.

The Rt Revd Andrew Watson, Bishop of Guildford said:

“I was so sorry to hear about the data breach involving quite so many dioceses and other organisations around the country – and am grateful for the speedy response of our diocesan team at Church House Guildford once we became aware of it. I pray that no significant harm will come from this malicious attack, either for individuals or for our vision of a growing church at the heart of each community; and hugely appreciate the hard work of so many clergy and lay volunteers, and their willingness to go through DBS checking in our quest to become a safer Church. Let’s not let the hackers win!”

Q&A

1. What has happened?

• We have been notified that one of their suppliers Access Personal Checking Services Ltd (APCS) has been subject to a significant data breach 
• ACPS carries out Data and Barring Services (DBS) checks on behalf of the National Church Institutions (NCIs), 17 Dioceses and the Parochial Church Council (PCCs) in those dioceses. The breach has affected clergy, lay ministers, volunteers, and staff.

2. Who has it affected? 

• We have been told that this breach has impacted people across the Church who have been subject to a DBS check between December 2024 and May 2025. APCS carries out DBS checks on behalf of some Dioceses and PCCs, and the NCIs. 

• APCS works with 19,000 organisations so the breach is far-reaching beyond the church.  

3. Who are APCS and what do they do? 

• APCS specialise in processing DBS checks for individuals and small business owners, large public and private sector companies, organisations, and recruitment agencies. 

4. What is the timeline of what has happened? 

• Details are still emerging, but our current understanding is: 

• APCS's external software supplier Intradev notified APCS on 17 August that their system had been compromised between 31st July and 15 August. 

• APCS started informing the companies (including parishes) on 20 August that the data breach had occurred but not which individuals' data had been impacted. The emails were sent to the email address on each parish’s APCS account, usually the DBS validators. 

• Church House Guildford was informed there had been a confirmed data breach on 21 August at which point Church House emailed all parishes to let them know that this had happened and to ensure that their DBS Validator's inbox was checked. 

• From late on 22nd August and throughout the bank holiday weekend APCS started emailing parishes (and all their other customers) to let them know which data subjects had been impacted. 

• The diocese has contacted all of the affected parishes, but we do not have contact details for the individuals in parishes whose data has been breached. This is why we have advised parishes to contact them directly.  

5. Is this data breach connected to the data incident involving the independent Redress Scheme? 

• No. The two incidents are unconnected. 

• The redress scheme data breach involved the scheme’s administrator, Kennedy’s LLP. They have accepted full responsibility and have contacted affected victims and survivors. 

6. What support is the diocese or national church offering? 

• The Church of England remains in contact with APCS on ways to support parishes. The National Church Institutions are offering 12 months of free credit and web monitoring services, provided by Experian, to individuals within the Church of England affected by the breach. 

• The Experian Identity Plus account helps detect possible misuse of personal data and provides people with identity monitoring support, focussed on the identification and resolution of identity theft. Access codes have been made available to the diocese and have been distributed to parishes to allocate to individuals.  

7. Experian asks for a lot of personal data, should I be giving this to them 

• When you create the account, you will be asked for your email address as a username, you should use your own personal email account because reports from Experian contain your own personal financial information which should not be held in a work email inbox (see above). 

• You may be asked for date of birth and address so that Experian can identify you, and they may ask you for additional data, for example, your mother’s name as an additional security check. 

• They will already know some of your financial arrangements e.g. mortgage information and bank account details etc, or other financial arrangements where you have had to get a credit check, and they will ask you to confirm these. 

• They need these details to ensure that they monitor all your financial arrangements, however, they also collect data for marketing purposes. 

• You should read their Privacy Notice here: Experian Consumer Privacy Policy 

• To opt out of marketing click here: Opt out by marketing channel and industry sector - Experian Consumer Information Portal 

8. Do PCCs need to report the incident to the ICO? 

• Yes. PCCs should report directly to the ICO as they are the data controllers. 

• Parishes can do so here: Report a breach | ICO

9. Why can’t the diocese and the national church team make a blanket ICO report given the scale of the breach? 

• This option has been explored but because the various data controllers (DBF, Bishops’ Office or PCC) are all separate legal entities, all will need to respond separately. 

10. When is it safe to submit DBS checks yet? Will you be recommending other providers? 

• We have recommended that parishes take a short pause from submitting DBS checks until we have greater assurances and it is sensible to resume. We know that this will cause inconvenience to those currently recruiting. 

• We are urgently carrying out due diligence on other data checking services. We will of course keep you updated on any further advice as soon as possible.  

11. What shall I say to those volunteers who now don’t want to be DBS checked? 

• This situation is deeply regrettable, and we share your concern and frustration. 

• We continue to champion any measures that help us make our churches safer and keep vulnerable children, young people and adults protected - DBS checks remain a critical tool in safer recruitment and remains a requirement under the Safer Recruitment Guidance of Church of England in certain circumstances.  

• As Bishop Andrew has publicly said, we “appreciate the hard work of so many clergy and volunteers, and their willingness to go through DBS checking in our quest to become a safer Church.”   

12. Do I need to tell the Charity Commission?  

• Further to previous advice, the Charity Commission has now informed us that due the large number of Serious Incident Reports they have received on this, trustees in PCCs do not need to report to the Charity Commission "if in substance they simply wish to report the same incident in materially similar terms".  

• If you feel you still want to submit a report, you are welcome to adapt the template which has previously been shared. You can submit a report online. 

13. What do I need to tell people whose data may have been breached?  

• A specific template has been shared via email with affected parishes, but you need to tell them, in clear and plain language, the nature of the personal data breach and, at least: 

• the name and contact details of any data protection officer you have, or other contact point where more information can be obtained in the parish (e.g. PSO, PCC Secretary or Incumbent);  

• a description of the potential consequences of the personal data breach such as:  

• Potential for identity theft 

• The possibility of receiving spam emails  

• Personal information being sold to third party advertisers  

• a description of the measures taken or proposed to deal with the personal data breach (You may need to say that further advice will follow here once you have heard more from APCS).  
   

14. How can we advise people how to keep themselves safe from identify fraud? 

• APCS have suggested that everyone should: 

• Stay alert to unexpected emails, calls, or letters that mention personal details about you. 

• Never give personal information to unsolicited callers, even if they seem to know details about you. 

• Verify any unexpected contact by calling the organisation directly using their official number. 

• Monitor for new applications made in your name: 

• Check your credit report (using the code from the Church of England for 12 months of Identity Plus account access from Experian). You can also download an app to help you monitor this. 

• Look for any new accounts, credit searches, or applications you didn't make. 

Optional additional protection: · CIFAS Protective Registration (£30 for 2 years at cifas.org.uk) adds extra identity verification checks for new credit applications - only consider this if you have been a victim of identity theft or are particularly concerned. 
  

The ICO also recommends that you advise individuals on the steps they can take to protect themselves, such as:  

• re-set passwords;  

• always use strong, unique passwords; and 

• look out for phishing emails or fraudulent activity on their accounts.  

Further information on support and advice on protecting your data can be found in this template. 

Report suspicious activity: 

If someone in your parish notices any unusual activity or applications they didn't make: · 

• Report it to Action Fraud: 0300 123 2040 or visit www.actionfraud.police.uk 

• Keep records of any suspicious contact or activity. 

If you need any further support from the diocese, do email data.protection@cofeguildford.org.uk

The Information Commissioner’s Office is very keen for parishes to contact their free advice service in order to benefit from their expert support and advice on this number - 0303 123 1113