Security

Cyber-crime

Criminal records office yanks web portal offline amid 'cyber security incident'

ACRO says payment data safe, other info may have been snaffled


ACRO, the UK's criminal records office, is combing over a "cyber security incident" that forced it to pull its customer portal offline.

As the name implies, the government agency manages people's criminal record information, running checks as needed on individuals for any convictions, cautions, or ongoing prosecutions. It doesn't just work with British police and businesses: it exchanges this data with other countries.

This data, used by employers vetting potential hires and embassies processing visa applications, is drawn from UK's Police National Computer via an information sharing agreement ACRO has with the Cabinet Office.

The data input typically includes a decade's worth of name and address history, extended family information, a new foreign address, legal representation, passport information, photo and data PIN cautions, reprimands, arrests, charges or convictions.

We are very sorry that because of your interaction with ACRO your data could have been affected

In an email to users this week – seen by El Reg – ACRO confirmed it has "recently been made aware of a cyber security incident affecting the website between 17th January 2023 and 21 March 2023."

"At this time," it added, "we have no conclusive evidence that personal data has been affected by the cyber security incident; however it is only right that we inform you of the situation. We are very sorry that because of your interaction with ACRO your data could have been affected, and we are working tirelessly to resolve this matter."

"As soon as ACRO was made aware of this incident, we took robust action to take the customer portal offline so that we could fully investigate," the message continued.

The website right now tells visitors: "Thank you for you patience as we work through our technical issues." ACRO lists where users can obtain application forms for Police or International Child Protection Certificates.

A quick check on Twitter shows ACRO customer service noted on March 21 that the website was unavailable due to maintenance, and appears to have been down since with one further update on March 31.

Those who got the email were using ACRO's services as a direct applicant; "in support of an application as a nominated endorser; or a professional administering the application for and with the applicant."

ACRO said there "does not appear to be any potential risk to your payment information" or to the information or certificates that were dispatched following the application.

"The personal data which could have been affected is any information you supplied to us, including identification information and any criminal conviction data." It added: "If you had a nominated endorser, professional or other third party, their name, relationship to the applicant, occupation, phone numbers, email address and case reference number could have been affected."

Britain's privacy watchdog the ICO was informed of the snafu, says ACRO, which is also working with the National Cyber Security Centre (NCSC) – an offshoot of intelligence nerve-center GCHQ – to probe the matter.

"We take data security very seriously and will ensure that the matter is fully investigated; part of the investigation will include learning how we can identify, prevent and block any future security threats," ACRO said in its email.

We're not sure ACRO should be handing out security advice right now but in any case, it urged users to make sure they use "strong and unique passwords" for their online accounts and keep an eye out for suspicious activity, "for example potential phishing emails."

On March 31, ACRO's Twitter account asked anyone who submitted an application form by email or mailed the dedicated mailboxes since the website went down to bear with it.

"The website issue and manual processing of applications has created a backlog but we are allocating more resources to our customer service team and getting through the list as quickly as we possibly can," it noted.

We asked the ACRO press office to comment on the intruders' point of system entry; what exactly these miscreants accomplished when on the inside for so long; for technical details of any malware used; if there is any word on the other data accessed; and if payment data was held on a separate system.

A spokesperson at ACRO said they were unable to answer our questions as an investigation is ongoing, "but can confirm the website was taken down on 21st March." The other statements it made were already contained in the mea culpa to users.

NCSC told us: "We are aware of an incident affecting ACRO Criminal Records Office and are working with them to fully understand the impact." The ICO said it is also aware of the incident and "making enquiries." ®

Send us news
20 Comments

Sensitive data on 61K+ patients accessed in Alabama hospital cyberattack

Intruder pored over medical records, insurance details, Social Security numbers in some cases

China's Salt Typhoon cyber spies are deep inside US ISPs

Expecting a longer storm season this year?

So how's Microsoft's Secure Future Initiative going?

34,000 engineers pledged to the cause, but no word on exec pay

Northern Ireland cops whose info was leaked in 2023 may get £240M+ damages

Officers put in danger when republican dissidents grabbed hold of their names and details

Big brands among thousands infected by payment-card-stealing CosmicSting crooks

Gangs hit 5% of all Adobe Commerce, Magento-powered stores, Sansec says

Red team hacker on how she 'breaks into buildings and pretends to be the bad guy'

Alethe Denis exposes tricks that made you fall for that return-to-office survey

Apple's latest macOS release is breaking security software, network connections

PLUS: Payer of $75M ransom reportedly identified; Craigslist founder becomes security philanthropist, and more

About a quarter million Comcast subscribers had their data stolen from debt collector

Cable giant says ransomware involved, FBCS keeps schtum

Australian e-tailer digiDirect customers' info allegedly stolen and dumped online

Full names, contact details, and company info – all the fixings for a phishing holiday

Scammers in the slammer for years after ripping off Apple with fake iPhone returns

Duo must also cough up $1.5M for pulling off multi-million-dollar exchange swindle

DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks

Winter is coming

Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant

Crooks 'like a sysadmin, with a malicious slant'