APCS Data Breach
On 21st August 2025, the Representative Body was informed that the Church in Wales (as well as several thousand other bodies) has been affected by a data breach at Access Personal Checking Services Ltd (APCS), a specialist company who carry out DBS background checks on behalf of a wide range of organisations.
The breach occurred following a cyber-attack on a system used by APCS and data was stolen belonging to multiple organisations of which the Church in Wales is one. The Church in Wales own systems were not breached and remain secure. Since the breach, APCS have undertaken extensive security improvements, resumed data processing activities and have been conducting those without incident since late May 2025. The suitability of APCS as a secure partner for Church in Wales related DBS processing is being actively reviewed.
What happened?
On 31 July 2025, an external software contractor to our data processor Access Personal Checking Services Ltd (APCS) was affected by a cyber-attack. Some personal data on DBS applications has been accessed by unauthorised individuals. APCS has provided the Church in Wales with a confidential report listing the individuals affected.
The breach has occurred wholly outside of the Church in Wales computer systems. Neither the Church in Wales central systems nor any diocesan IT systems have been hacked, those respective networks are unaffected by this data breach.
Only people who applied for a DBS between December 2024 and May 2025 are affected. All those people have been contacted by the Representative Body. If you have not received an email or a physical letter, you are not at risk.
What is being done?
This incident has been reported to the Information Commissioner's Office (ICO).
We have also made a serious incident report to the Charity Commission.
We have contacted all people who may have been affected by the breach.
What else are we doing?
The Representative Body of the Church in Wales will be offering those affected by the breach, twelve months of credit and web monitoring services, provided by Equifax, one of the UK’s leading credit reference agencies.
The ‘Equifax Protect’ system helps detect possible misuse of personal data and provides identity monitoring support, focused on the identification and resolution of identity theft.
What are the next steps?
The UK Data Regulator, the Information Commissioners Office (ICO) is investigating the data breach and will report on their findings in due course.
We will update this information notice when we receive more information from the ICO.