Cyber Incident Victim: UKs Criminal Records Office (ACRO)

The UK's Criminal Records Office (ACRO) experienced a cyber security incident affecting its customer portal between January 17 and March 21, 2023. ACRO became aware of the breach on March 21 and immediately took the application portal offline to contain the threat. The incident primarily disrupted the issuance of Police Certificates and International Child Protection Certificates, though manual processing via email remained available. ACRO launched an investigation with the National Cyber Security Centre (NCSC) and notified the Information Commissioner's Office (ICO). Initial public communications on March 21 attributed website unavailability to maintenance, with a formal acknowledgment coming via email to affected users days later. The organization confirmed its criminal record exchange services with overseas jurisdictions and domestic policing functions remained operational throughout the disruption.

While ACRO stated no conclusive evidence existed of compromised personal data, it warned applicants that information submitted during the exposure window could have been accessed. This potentially included identification documents, criminal conviction histories, decade-long address records, family member details, passport information, and photographs. Third-party data associated with applications—such as endorsers' names, contact details, and professional affiliations—also faced potential exposure. ACRO emphasized payment information appeared unaffected and assured users that dispatched certificates remained secure. The incident created significant processing backlogs due to manual application handling, prompting ACRO to allocate additional customer service resources. All affected parties received direct notifications advising vigilance against phishing attempts and recommending password security measures while the investigation continued.