Criminal records office yanks web portal offline amid 'cyber security incident'

ACRO says payment data safe, other info may have been snaffled

ACRO, the UK's criminal records office, is combing over a "cyber security incident" that forced it to pull its customer portal offline.

As the name implies, the government agency manages people's criminal record information, running checks as needed on individuals for any convictions, cautions, or ongoing prosecutions. It doesn't just work with British police and businesses: it exchanges this data with other countries.

This data, used by employers vetting potential hires and embassies processing visa applications, is drawn from UK's Police National Computer via an information sharing agreement ACRO has with the Cabinet Office.

The data input typically includes a decade's worth of name and address history, extended family information, a new foreign address, legal representation, passport information, photo and data PIN cautions, reprimands, arrests, charges or convictions.

We are very sorry that because of your interaction with ACRO your data could have been affected

In an email to users this week – seen by El Reg – ACRO confirmed it has "recently been made aware of a cyber security incident affecting the website between 17th January 2023 and 21 March 2023."

"At this time," it added, "we have no conclusive evidence that personal data has been affected by the cyber security incident; however it is only right that we inform you of the situation. We are very sorry that because of your interaction with ACRO your data could have been affected, and we are working tirelessly to resolve this matter."

"As soon as ACRO was made aware of this incident, we took robust action to take the customer portal offline so that we could fully investigate," the message continued.

The website right now tells visitors: "Thank you for you patience as we work through our technical issues." ACRO lists where users can obtain application forms for Police or International Child Protection Certificates.

A quick check on Twitter shows ACRO customer service noted on March 21 that the website was unavailable due to maintenance, and appears to have been down since with one further update on March 31.

Those who got the email were using ACRO's services as a direct applicant; "in support of an application as a nominated endorser; or a professional administering the application for and with the applicant."

ACRO said there "does not appear to be any potential risk to your payment information" or to the information or certificates that were dispatched following the application.

"The personal data which could have been affected is any information you supplied to us, including identification information and any criminal conviction data." It added: "If you had a nominated endorser, professional or other third party, their name, relationship to the applicant, occupation, phone numbers, email address and case reference number could have been affected."

Britain's privacy watchdog the ICO was informed of the snafu, says ACRO, which is also working with the National Cyber Security Centre (NCSC) – an offshoot of intelligence nerve-center GCHQ – to probe the matter.

"We take data security very seriously and will ensure that the matter is fully investigated; part of the investigation will include learning how we can identify, prevent and block any future security threats," ACRO said in its email.

We're not sure ACRO should be handing out security advice right now but in any case, it urged users to make sure they use "strong and unique passwords" for their online accounts and keep an eye out for suspicious activity, "for example potential phishing emails."

On March 31, ACRO's Twitter account asked anyone who submitted an application form by email or mailed the dedicated mailboxes since the website went down to bear with it.

"The website issue and manual processing of applications has created a backlog but we are allocating more resources to our customer service team and getting through the list as quickly as we possibly can," it noted.

We asked the ACRO press office to comment on the intruders' point of system entry; what exactly these miscreants accomplished when on the inside for so long; for technical details of any malware used; if there is any word on the other data accessed; and if payment data was held on a separate system.

A spokesperson at ACRO said they were unable to answer our questions as an investigation is ongoing, "but can confirm the website was taken down on 21st March." The other statements it made were already contained in the mea culpa to users.

NCSC told us: "We are aware of an incident affecting ACRO Criminal Records Office and are working with them to fully understand the impact." The ICO said it is also aware of the incident and "making enquiries." ®

Send us news

MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen

Real-life impact of buggy software laid bare – plus: Avast tries to profit from being caught up in attacks

Clorox CISO flushes self after multimillion-dollar cyberattack

Plus: Ransomware crooks file SEC complaint against victim

US nuke reactor lab hit by 'gay furry hackers' demanding cat-human mutants

Staff records swiped, leaked by gang who probably read one too many comics, sorry, graphic novels

Mirai malware infects routers and cameras for new botnet

Akamai sounds the alarm – won't name the manufacturers yet

'Serial cybercriminal and scammer' jailed for 8 years, told to pay back $1.2M

Crook did everything from SIM swaps to fake verified badge scams

Top Ukrainian cyber officials fired after allegedly pocketing kickbacks from govt IT deals

Duo probed over alleged $2M embezzlement plot

Look out, Scattered Spider. FBI pumps 'significant' resources into snaring data-theft crew

Absence of arrests doesn't mean nothing's happening, cyber-cops insist

Rights warriors claim online ad auction data a danger to national security

'The industry can not be allowed to put elected leaders, military personnel at risk'

Google, Amazon, Microsoft make the Mozilla naughty list for Christmas shopping

Big Tech's toys have privacy problems. Why not buy utterly unconnected dead-tree books instead?

Ransomware royale: US confirms Royal, BlackSuit are linked

Royal alone scored $275M in past year as FBI, other agencies hot on merging trail

Another month, another bunch of fixes for Microsoft security bugs exploited in the wild

Plus: VMware closes critical hole, Adobe fixes a whopping 76 flaws

Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month