We have been informed of a data breach involving Access Personal Checking Services Ltd (APCS), the provider used by the Diocese of Coventry and many of our parishes to process Disclosure and Barring Service (DBS) checks.
On 17 August 2025, APCS were notified by their external software supplier, Intradev, of a cyber-attack that resulted in unauthorised access to certain files containing personal data. APCS believe the breach affects DBS applications submitted between December 2024 and May 2025. APCS have confirmed that the data accessed includes text-only information such as name, date of birth, email address, postal address, place of birth, gender, National Insurance Number, passport details, and driving licence details. No images, documents, payment card details, or records of criminal convictions were accessed.
Our own diocesan network and servers were not compromised.
We understand that this news may cause concern and distress. Please be assured that the Diocese of Coventry takes this matter extremely seriously. We are working closely with APCS and other dioceses to ensure a coordinated response. We have reported the incident to the Information Commissioner’s Office (ICO) and the Charity Commission.
As a precautionary measure we have decided to pause all applications to APCS and have provided the same advice to parishes.
Bishop Sophie said:
This is a difficult and troubling time for everyone affected. It is an upsetting violation of privacy that a significant number of people in our diocese have suffered. I am truly sorry for the distress and disruption this incident has caused.
For those directly impacted, I would encourage you to access the support you need. There is detailed information on the diocesan website and we will continue to update this as the situation unfolds. I would also urge everyone to be extra vigilant at this time.
I am immensely grateful to the diocesan staff team, clergy, friends, and volunteers in the parishes who have all worked so hard to provide information, reassurance and support to those affected.
You are all in my prayers at this time.
Diocesan Secretary Jacqueline Ladds said:
I am very aware that the situation many find themselves in following this data breach must be very concerning and upsetting. Please be assured that the Diocesan staff team have been working hard to support all those affected. Colleagues have been in daily communication with the National Church team as well as the Registry, other dioceses and APCS themselves to ensure we know who has been impacted and what practical support is available. We will continue to do everything we can.
I would encourage anyone with concerns to continue checking our website as we will update the FAQS with information as it is available and to also contact us through the dedicated email link APCSBreach@Coventry.Anglican.org
Information for parishes
DBF are currently providing support and guidance related to the APCS data breach.
If your parish is affected, you will likely have received an email from APCS between 22nd and 24th August listing the individuals involved. This email will have been sent to the person listed as the Manager on the Parish APCS account (e.g. PSO, Administrator, Incumbent).
The CDBF will have also contacted the parish to ensure you are aware and to provide support and guidance.
Information Commission Office; We are advising parishes to report to the ICO if they have been affected by the breach. Support and guidance has been provided.
Charity Commission; The National Church Institutions have been informed by the Charity Commission that due to the large number of Serious Incident Reports they have received on this, trustees in PCCs and diocesan boards of finance do not need to report to the Charity Commission "if in substance they simply wish to report the same incident in materially similar terms".
Information and Support for individuals affected
We recognise that being notified of a data breach can be unsettling and the impact on those affected.
If your data was affected, you will be contacted by your parish or the DBF. We aim to provide reassurance and guidance tailored to your situation.
You will receive a written summary of what data was affected and recommended actions to take, including how to monitor for misuse.
The National Church Institutions is offering all individuals, personally affected by the breach, 12 months of free credit and web monitoring services, provided by Experian. Access codes will be made available to our diocese to distribute and instructions about how you can access your Experian account will also be sent shortly to you.
We have set up a designated email address to respond to this matter, specifically to answer any queries/concerns that are not covered by these FAQs. Please email APCSBreach@Coventry.Anglican.org
We remain committed to supporting all affected individuals and parishes and will continue to provide updates as more information becomes available
Further resources
Action Fraud
The government has put together this checklist to help on the steps to take to repair your identity and prevent re-victimisation.
The National Fraud and Cyber Crime Reporting Centre has a wealth of advice and resources on the Action Fraud website.
GOV.UK
What has happened?
We have been notified that one of their suppliers Access Personal Checking Services Ltd (APCS) has been subject to a significant data breach. ACPS carries out Data and Barring Services (DBS) checks on behalf of the National Church Institutions (NCIs), some Dioceses and Parochial Church Council (PCCs). The breach has affected clergy, lay ministers, volunteers, and staff.
Who has it affected?
This breach has impacted people across the Church who have been subject to a recent DBS check. APCS carries out DBS checks on behalf of some Dioceses and PCCs, and the NCIs.
Who are APCS and what do they do?
APCS specialise in processing disclosures for individuals and small business owners, large public and private sector companies, organisations, and recruitment agencies.
When did this happen?
APCS have stated that their external software supplier, Intradev, notified them on 17 August that their system had been compromised between the 31 July 2025 and 15 August 2025, and certain files containing personal details were copied. APCS were provided with copies of the compromised data on Monday 18 August. APCS’ own network and servers were not compromised. From initial assessments made by APCS, the data that is affected is from 1 December 2024 to 9 May 2025.
Have other organisations outside of the C of E been affected?
Yes. APCS provides Data and Barring Services (DBS) to many organisations. This breach also impacts those bodies.
How confident are we that only those notified have been affected?
APCS have started the process of notifying those individuals affected by the breach. APCS have said that the breach only affects those individuals who were subject to a DBS check between the 1 December 2024 to 9 May 2025, but this is a moving situation, and we will keep you updated as we receive more information.
Is this data breach connected to the data incident involving the independent Redress Scheme?
No. The two incidents are unconnected.
What personal information has been leaked?
We understand the breach may have affected some or all the following information:
• Name, phone number, date of birth, email address, address, place of birth, National Insurance number, passport number, driving licence number.
It does not include:
• Medical information, information on any disclosures, information about your protected characteristics e.g., ethnicity, disability, sexual orientation, marital status.
The information that was accessed was in text format only. No documents, images, passwords, or financial details were affected.
What are my Diocese doing?
- People affected by the data breach have been contacted with advice and support.
- Parishes affected are being provided with support and guidance
- Support includes 12 months free access to a credit checking and monitoring service from Experian.
- All DBS checks with APCS have been paused until further notice.
- This incident has been reported to the Information Commissioner's Office (ICO) and Charity Commission.
- We will continue to keep parishes updated and revise these FAQs as further information is received.
Reporting the breach and data protection
Do PCCs need to report the incident to the ICO?
Yes. PCCs should report separately to the ICO if they have directly accessed the service i.e. if they have been uploading data to APCS themselves this makes them the data controller. If the DBF have been doing this on their behalf, then the DBF should report as the data controller. You can assess this by checking who APCS is corresponding with i.e. if they have contacted the PCC directly, then it is likely that the PCC is the controller and therefore must report.
Whether the PCC is part of the national deal is not the issue for reporting to the ICO, the key issue is who the controller is.
In simple terms it is ‘who’ completed the check not where the role is based. If the parish sent an email inviting an applicant to complete the DBS check, they are the data controller in this instance.
Who is responsible for reporting a breach to the ICO?
Only the data controller is responsible for reporting a high-risk data breach to the ICO. A high-risk data breach is one which has a significant effect on the rights and freedoms of data subjects. All parties are accountable for taking steps to mitigate the effects of the breach where possible.
If the data breach is caused by the processor, the processor must implement technical and organisational measures to assist the controller to deal with the breach but is responsible for their own failures or those of their sub-processors. However, the ICO can investigate all parties involved to ensure they have met their obligations appropriately.
Do we need to report this incident to the Charity Commission?
The Charity Commission have informed the National Church Institutions that due to the large number of Serious Incident Reports they have received on this, trustees in PCCs and diocesan boards of finance do not need to report to the Charity Commission "if in substance they simply wish to report the same incident in materially similar terms".
The CDBF have completed a report to the Charity Commission.
Is the 72-hour deadline for reporting the incident to the ICO based on when an email notifying the breach was sent, or when the email was seen?
The 72-hour window is based on when your organisation became aware of the data breach (i.e. when the email sent from APCS was seen). If you have missed the 72-hour deadline, you can explain that the reason for the delay is because you were fact finding, but it is best if you can do this as close to the 72-hour window as possible.
I would like to request that any data held by APCS on me is deleted under GDPR. How do I go about this?
If you wish to make an erasure request, you can contact APCS via email to enquiries@accesspcs.co.uk or by phone on 0845 6431145. The APCS Privacy policy is available here: www.onlinecrbcheck.co.uk/docs/privacypolicy.pdf
Data Controller vs. Data Processor – What’s the Difference?
Data Controller: The organisation that decides why and how personal data is collected and used. It holds overall responsibility for GDPR compliance, even when using external suppliers. Controllers must ensure processors are GDPR-compliant and have contracts in place that include breach management procedures.
In the APCS case, the data controller would be the organisation uploading data to the APCS system—such as the Church of England Central Services, a Diocesan Board of Finance, or a Parochial Church Council.
Data Processor: An external party that processes personal data only on the controller’s instructions. It must comply with GDPR and have contracts that ensure equivalent data protection standards, including with any sub-processors.
Here, APCS is the data processor. It must notify the controller immediately if a data breach occurs.
Sub-Processor: A supplier working under the data processor to handle personal data. They must follow GDPR, maintain strong security measures, and support both the processor and controller in meeting their obligations. Intradev is the sub processor.
In this case, Intradev is the sub-processor. Why are parishes being asked to submit a report to the ICO?
In the event of a data breach, the data controller is responsible for submitting a report to the ICO. In this instance, the “controller” is the organisation responsible for inviting the applicant to complete the DBS application on the APCS system, for example, the PCC.
Support for people affected
What support is available for those who have been affected?
Access to a credit checking and monitoring service from Experian is being made available for 12 months for those affected. If you have been affected by this data breach and you have not received a code to access your Experian Identity Plus account, please contact APCSBreach@Coventry.Anglican.org. More information about the service available from Experian is contained within these FAQs.
Advice about what additional steps you can take, and the resources available to help protect you from fraud, are also included in these FAQs
Who can I contact about the data breach?
The CDBF has set up a designated email address to respond to this matter, specifically to answer any queries/concerns that are not covered by these FAQs. Please email APCSBreach@Coventry.Anglican.org
If my passport and driving licence details have been accessed, should I apply for new ones?
The current advice from the national church institutions is that they do not believe it is necessary to replace driving licences or passports, as the images associated with these documents were not breached. However, we expect that individuals will take their own decisions. Do look out for announcements or updates from the relevant agencies.
What support will I be offered if my data is used maliciously through this breach? For instance, if someone uses the data to create a new payment from my bank account or creates a credit agreement that negatively affects my credit file?
We are encouraging all individuals who are potentially affected by this to sign up to the Experian service. This service, provided for 12 months, will help you to keep an eye out for any changes that suggest someone is using your data improperly – for instance, you will get an alert if someone sets up a new credit agreement. If you become the victim of fraud, you will be offered help through Experian’s caseworker service to get back on track and sort out your credit file.
If I lose money or my credit file is affected due to fraud or I have incurred costs, will I be compensated?
The CDBF is seeking legal advice and actively working with the National Church Institutions (NCIs) and the other dioceses to understand this further.
What can I do to protect myself from fraud?
- Stay alert to unexpected emails, calls, or letters that mention personal details about you
- Never give personal information to unsolicited callers, even if they seem to know details about you
- Verify any unexpected contact by calling the organisation directly using their official number
- Monitor for new applications made in your name:
- Check your credit report – see below for information about the service that will be available to you from Experian shortly.
- Look for any new accounts, credit searches, or applications you did not make.
- Inform your bank, building society and credit card company of any unusual transactions on your statement.
Links and contact numbers
Action Fraud
The government has put together this checklist to help on the steps to take to repair your identity and prevent re-victimisation.
The National Fraud and Cyber Crime Reporting Centre has a wealth of advice and resources on the Action Fraud website.
GOV.UK
Financial Ombudsman Service
If you have lost money because of fraud or a scam – and you are unhappy with how your bank or payment service provider handled things – The Financial Ombudsman Service may be able to help.
General advice
To report the theft or loss of post
Who can I speak to about getting an access code for the credit check and web monitoring service from Experian?
All affected individuals should have received an email with their Experian access code. If they have not they will need to contact the person who sent them the letter notifying them of the breach for example PSO, Incumbent. For cases where the CDBF administered the check contact APCSBreach@Coventry.Anglican.org.
What does the Experian Identity Plus account provide?
Features of the Experian Identity Plus account includes:
- Daily Experian Fraud Report
If you log in, you can get your daily Experian Fraud Report. This details key information from your Experian Credit Report that may help you identify fraudulent activity on your credit report.
- Alerts provided as part of the service
Alerts will be provided by email and/or SMS, depending on your settings and features availability.
- Experian fraud alerts
Get alerts by email and/or text message about certain changes to your Experian Fraud Report. Alerts relate to when accounts are opened or closed, or when your credit report is searched. Some of our credit alerts may be sent in real-time to notify of certain changes when they happen, others are sent weekly.
- Experian CreditLock alerts
Experian will let you know when your Experian credit file is searched and if your credit file was locked. For any applications that are blocked you will be sent a message by email and/or text to make you aware.
- CreditLock
Experian CreditLock is designed to reduce fraudulent credit applications. Locking your Experian Credit Report will help to block new fraudulent credit applications made in your name, using your information from the Experian Credit Bureau.
- Web monitoring
Experian will help you better protect your identity by scanning certain internet sites and locations for selected personal and financial details and alerting you by email or text message if anything looks wrong or fraudulent. Alerts are sent every day that we find suspicious information. Web monitoring is designed to work alongside taking a cautious approach to your sharing of data and use of the internet and other digital services.
Read this guide to Identity Plus for more details
How do I read my credit report? I have never had one before
If you are not sure where to start, take a look at this guide from Experian: www.experian.co.uk/consumer/experian-credit-report.html
Your credit report has different sections. For instance, it will show information about you, any credit agreements you have (e.g. your mortgage or with a phone company), your financial connections (e.g. spouses/partners), and details of any missed/overdue payments on credit agreements.
What happens beyond 12 months with the Experian service?
At the end of the 12-month period the individuals will get an email to say their subscription is coming to an end and the options available to them.
How up to date is Experian? For instance, if someone set up a credit agreement today, would they tell me today?
Through your Experian Identity Plus subscription*, you will be offered daily alerts as to whether something has changed within your credit report. The subscription also allows you to lock your Experian credit report to help stop fraudsters taking out agreements in your name.
I have been advised to use CIFAS as well. Is this necessary?
Experian is a member of CIFAS (Credit Industry Fraud Avoidance System) and can access data related to confirmed fraud cases. CIFAS focuses on fraud prevention; Experian offers identity verification and fraud prevention.
I already have an Experian account, or I have used Experian in the past. What should I do?
If when you log into Experian using the code we have given you, and you are using your personal email address, you may be told that you already have an account under that username.
We would advise you contact Experian to explain the situation and to seek their advice 03444 818182.
Experian asks for a lot of personal data, should I be giving this to them?
When you create the account, you will be asked for your email address as a username, you should use your own personal email account because reports from Experian contain your own personal financial information which should not be held in a work email inbox (see above).
You may be asked for date of birth and address so that Experian can identify you, and they may ask you for additional data, for example, your mother’s name as an additional security check.
They will already know some of your financial arrangements e.g. mortgage information and bank account details etc, or other financial arrangements where you have had to get a credit check, and they will ask you to confirm these.
They need these details to ensure that they monitor all your financial arrangements, however, they also collect data for marketing purposes.
You should read their Privacy Notice here: Experian Consumer Privacy Policy
To opt out of marketing click here: Opt out by marketing channel and industry sector - Experian Consumer Information Portal
Questions we have received and other potential questions
I have been approached by a journalist to ask me about the breach. What do I do?
Please do not offer any comment and refer them to our communications team at communications@coventry.anglican.org