The UK’s criminal records office, ACRO, has confirmed it is investigating a “cyber security incident” that forced it to take its customer portal offline between January and March this year. The government agency manages people’s criminal record information and exchanges data with other countries, which is used by employers vetting potential hires and embassies processing visa applications.
ACRO has said it has no conclusive evidence that personal data has been affected by the incident. It added that there is no potential risk to payment information, certificates that were dispatched following applications, or information on the police national computer. The Information Commissioner’s Office (ICO) and the National Cyber Security Centre are investigating the incident.
Those who received an email from ACRO were using its services as a direct applicant, “in support of an application as a nominated endorser or a professional administering the application for and with the applicant”. ACRO said the personal data which could have been affected is any information users supplied to it, including identification information and any criminal conviction data.
If users had a nominated endorser, professional, or other third party, their name, relationship to the applicant, occupation, phone numbers, email address and case reference number could have been affected.
ACRO said that as soon as it became aware of the incident, it took the customer portal offline to carry out a full investigation. It has urged users to make sure they use “strong and unique passwords” for their online accounts and keep an eye out for suspicious activity.
ACRO’s Twitter account has asked anyone who submitted an application form by email or mailed the dedicated mailboxes since the website went down to bear with it.
The website issue and manual processing of applications has created a backlog, but the agency is allocating more resources to its customer service team and getting through the list as quickly as possible.
