The UK’s criminal record office, ACRO, had to pull its web portal offline after a two-month “cyber security incident”. The web portal is still offline (as of 20 April 2023) while they “investigate a technical issue, which we now know to be a cyber security incident.” It is unclear when the website will be back live again. While it is down, applications for police certificates must be processed manually via email, which is causing significant delays in visa processing.
It is still unclear how many people have been affected by the ACRO data breach and what data was accessed during the cyber-attack. ACRO are yet to release details about how the ‘cyber security incident’ occurred and the impact of this and is currently still investigating.
The nature of the information ACRO holds about users makes this breach distressing for anyone affected. Nobody wants their highly sensitive information in the hands of the wrong people, the results of which could be damaging.
This is why it’s important to remember that if you have been affected by a data breach, you could be entitled to claim compensation. The compensation awarded is designed to help those impacted by a breach recover from the incident and offset any potential financial losses involved. Read on to find out more about the ACRO data breach and how HNK Solicitors can help you with your data protection claim.
What is ACRO?
ACRO is a government agency that manages criminal record information and the exchange of records with other countries. The national agency conducts checks on individuals as necessary to determine if they have any convictions, cautions, or pending prosecutions.
Its core duties involve checking if a suspect in the UK has a record of criminal convictions from other countries as well as providing police certificates for those who wish to emigrate from the UK, or need a visa to live or work abroad.
The data ACRO shares and holds on individuals typically includes a decade’s worth of name and address history, extended family information, any new foreign addresses, passport information, photo and data PIN cautions, and details of arrests, reprimands, charges, convictions and legal representation.
What happened during the ACRO data breach?
ACRO stated on March 21 that applications were no longer open through its online portal as they were conducting “essential web maintenance”. Their website has been inaccessible since March 31 due to “technical issues”. On April 6th 2023, ACRO tweeted a statement confirming a cyber security incident was the reason the website was down.
In an email sent to users, they confirmed the attack took place between 17 January and 21 March 2023.
“At this time, we have no conclusive evidence that personal data has been affected by the cyber security incident; however it is only right we inform you of the situation. We are very sorry that because of your interaction with ACRO, your data could have been affected, and we are working tirelessly to resolve this matter.”
“As soon as ACRO was made aware of this incident, we took robust action to take the customer portal offline so that we could fully investigate,” the message continued.
They also said that there did not appear to be any potential risk to their payment information.
Those who received the email were direct users of ACRO’s services, those who supported an application as a nominated endorser, or professionals administering the application for and with the applicant.
Currently [April 2023], the website thanks users for their patience as they work through technical issues caused by a cyber security incident. It then directs users to a number of dedicated email addresses set up for them to access the product or service they need.
This incident has caused huge delays for those looking to secure overseas visas, creating backlogs for those trying to obtain a police certificate, which is necessary to obtain a visa for popular locations such as the US, New Zealand, and Canada. Those who contact the ACRO helpline looking for updates have been warned of lengthy waits.
A spokesperson for ACRO told the Evening Standard, “We are aware of a cyber security incident affecting the ACRO Criminal Records Office website, and are working with national agencies to fully investigate.
“We take data security very seriously and as soon as we were made aware of this incident, we took the customer portal offline.”
“At this time we have conclusive evidence that personal data has been affected by the cyber security incident.”
The Information Commissioner’s Office (ICO) was made aware of the incident, says ACRO, who say they are also working with the National Cyber Security Centre (NCSC) to find out more.
“We take data security very seriously and will ensure that the matter is fully investigated; part of the investigation will include learning how we can identify, prevent and block any future security threats,” ACRO said in its email. They also advised users to ensure they use “strong and unique passwords” for their online accounts and told them to keep an eye out for any suspicious activity such as phishing emails.
When asked for more details about the breach, a spokesperson for ACRO said they were unable to answer any questions as an investigation is ongoing.
Some members of the cyber security industry have suggested that this incident could be related to a ransomware attack, but when asked, neither ACRO, the Information Commissioner’s Office (ICO), nor the National Cyber Security (NCSC) commented on the involvement of ransomware.
Who was affected by the ACRO data breach, and how do I know if I have been affected?
It’s not clear yet exactly how many people have been affected by the ACRO data breach. Anyone who had used ACRO’s service as a direct applicant, in support of an application as a nominated endorser, or as a professional administering the application for and with the applicant could be affected and should have received the email informing them of the breach.
If you have received this email, it is likely you have been affected, and you could be eligible to make a claim for compensation against ACRO. If you are unsure whether you have been affected, check your inbox and junk mail for an email from ACRO. If you are still concerned, you can contact ACRO directly at email@example.com.
What data was breached during the ACRO cyber-attack?
In the email ACRO sent to the affected individuals, it stated that although there was no evidence of a data breach, the agency suspected some data, including identification and criminal conviction information, had been compromised. Personal information that ACRO holds from users includes:
- Address history
- Extended family information
- Passport details
- New foreign address details
- Photo and data PIN cautions
- Criminal records, including reprimands, arrests, charges, convictions and legal representation information.
ACRO did, however, tell ITPro that “There is currently no evidence that personal data or payment information has been affected by the incident.”
All of this is very personal and highly sensitive information. In the hands of the wrong individual, this information could cause damage and distress. If an attacker had access to an individual’s criminal record, they could cause huge damage to that person.
The ongoing uncertainty around what data has actually been accessed and by who is troubling and is likely very worrying for anyone impacted by the breach. This is a very distressing situation, and the consequences could be severe, with the risk of identity theft, phishing scams, and even reputational damage.
Those affected by the ACRO data breach may be entitled to claim compensation for any financial or emotional impact caused by the breach. HNK Solicitors can help if you want to claim for the ACRO data breach.
Can I claim compensation for the ACRO data breach?
Under the UK General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018, any company, private or public, that processes and stores data has a legal responsibility to keep it safe and store it appropriately.
The stringent regulations state that companies must adequately protect customer data from unauthorised access. If there is a breach, they must notify individuals affected as soon as possible. In this case, the breach was ongoing for two months, potentially undetected, which causes great concern for those whose data could have been affected.
Those who have been the victim of a data breach are entitled to seek compensation. This compensation is provided to individuals to cover any damages caused by the breach, such as financial losses, reputational damage, emotional distress or health issues. While this compensation will not undo the damage caused by a breach, it can support you in moving on from the incident.
HNK Solicitors can help you with your data breach claim against ACRO
If you have been affected by the ACRO data breach or any other data breach, you may be entitled to claim compensation. HNK Solicitors have a team of expert data breach solicitors who can help you with your claim. When considering pursuing a claim, it’s important to seek advice from experienced solicitors who have a deep understanding of the rules and regulations that apply.
We offer free consultations to those considering pursuing a data breach compensation claim. If you are looking to make a claim against ACRO and would like to discuss it further, please get in touch today. Visit our ACRO data breach page to find out more, fill out our online claim form, call us on 0151 668 0814 or send us an email at firstname.lastname@example.org.