Criminal records office yanks web portal offline amid ‘cyber security incident’

ACRO, the UK’s criminal records office, is combing over a “cyber security incident” that forced it to pull its customer portal offline.

As the name implies, the government agency manages people’s criminal record information, running checks as needed on individuals for any convictions, cautions, or ongoing prosecutions. It doesn’t just work with British police and businesses: it exchanges this data with other countries.

This data, used by employers vetting potential hires and embassies processing visa applications, is drawn from UK’s Police National Computer via an information sharing agreement ACRO has with the Cabinet Office.

The data input typically includes a decade’s worth of name and address history, extended family information, a new foreign address, legal representation, passport information, photo and data PIN cautions, reprimands, arrests, charges or convictions.

We are very sorry that because of your interaction with ACRO your data could have been affected

In an email to users this week – seen by El Reg – ACRO confirmed it has “recently been made aware of a cyber security incident affecting the website between 17th January 2023 and 21 March 2023.”

“At this time,” it added, “we have no conclusive evidence that personal data has been affected by the cyber security incident; however it is only right that we inform you of the situation. We are very sorry that because of your interaction with ACRO your data could have been affected, and we are working tirelessly to resolve this matter.”

“As soon as ACRO was made aware of this incident, we took robust action to take the customer portal offline so that we could fully investigate,” the message continued.

The website right now tells visitors: “Thank you for you patience as we work through our technical issues.” ACRO lists where users can obtain application forms for Police or International Child Protection Certificates.

A quick check on Twitter shows ACRO customer service noted on March 21 that the website was unavailable due to maintenance, and appears to have been down since with one further update on March 31.

Those who got the email were using ACRO’s services as a direct applicant; “in support of an application as a nominated endorser; or a professional administering the application for and with the applicant.”

ACRO said there “does not appear to be any potential risk to your payment information” or to the information or certificates that were dispatched following the application.

“The personal data which could have been affected is any information you supplied to us, including identification information and any criminal conviction data.” It added: “If you had a nominated endorser, professional or other third party, their name, relationship to the applicant, occupation, phone numbers, email address and case reference number could have been affected.”

Britain’s privacy watchdog the ICO was informed of the snafu, says ACRO, which is also working with the National Cyber Security Centre (NCSC) – an offshoot of intelligence nerve-center GCHQ – to probe the matter.

“We take data security very seriously and will ensure that the matter is fully investigated; part of the investigation will include learning how we can identify, prevent and block any future security threats,” ACRO said in its email.

We’re not sure ACRO should be handing out security advice right now but in any case, it urged users to make sure they use “strong and unique passwords” for their online accounts and keep an eye out for suspicious activity, “for example potential phishing emails.”

On March 31, ACRO’s Twitter account asked anyone who submitted an application form by email or mailed the dedicated mailboxes since the website went down to bear with it.

“The website issue and manual processing of applications has created a backlog but we are allocating more resources to our customer service team and getting through the list as quickly as we possibly can,” it noted.

We asked the ACRO press office to comment on the intruders’ point of system entry; what exactly these miscreants accomplished when on the inside for so long; for technical details of any malware used; if there is any word on the other data accessed; and if payment data was held on a separate system.

A spokesperson at ACRO said they were unable to answer our questions as an investigation is ongoing, “but can confirm the website was taken down on 21st March.” The other statements it made were already contained in the mea culpa to users.

NCSC told us: “We are aware of an incident affecting ACRO Criminal Records Office and are working with them to fully understand the impact.” The ICO said it is also aware of the incident and “making enquiries.” ®

READ MORE HERE