DBS Data Breach Statement

MCR Pathways confirms on the evening of Wednesday 20 August 2025 the charity received a communication from Access Personal Checking Service LTD (APCS LTD) concerning a data breach. 

APCS LTD is a third party organisation that processes data on our behalf for Disclosure and Barring Service (DBS) checks. This breach affects a number of individuals connected with MCR Pathways whose DBS checks were carried out between 1 December 2024 and 9 May 2025. DBS checks are carried out as part of our legal safeguards. Because we cannot carry these out directly, we have outsourced that service to APCS Ltd, one of the government-approved umbrella bodies authorised to process DBS applications.

Our understanding of what has happened

The communication MCR Pathways received from APCS Ltd stated that an APCS Ltd software supplier (and therefore sub-processor of the charity’s data) had discovered that part of their system was subjected to unauthorised access. The sub-processor is Intradev Ltd and it is understood that the unauthorised access took place around Thursday 31 July 2025. 

The data affected involves personal identification information provided to APCS Ltd for DBS checks to be carried out on applicants between 1 December 2024 and 9 May 2025. Personal identification information includes National Insurance numbers, Passport and Driving Licence numbers, as well as limited other types of personal data for certain individuals. We can confirm the breach did not include exposure of copies scans of any actual identification documents, or of passwords, account details or financial information for anyone.

What immediate action we have taken

We want to reassure everyone that we are taking this matter extremely seriously, and recognise the concern this may have caused to those affected. The wellbeing and security of those affected is a priority and we will continue to do everything we can to mitigate known risks. 

As a result, the following immediate actions have been taken:

  • MCR Pathways has informed the Information Commissioner’s Office (ICO) and activated its incident response plan. Since discovery of the breach, all actions have been logged by our Incident Response Team.
  • We have informed all of those affected and have provided guidance through the development of a FAQ support resource, email and telephone contacts. We continue to provide regular updates as we understand more about the situation.
  • We have reported the breach to the Disclosure and Barring Service who appointed APCS Ltd as an umbrella organisation for the processing of DBS applications. 
  • Our investigation into how the breach has happened is ongoing, and steps have been (and continue to be) taken to prevent anything similar from happening again. This includes ceasing any further data processing by APCS Ltd on our behalf at this time.  We continue to seek regular updates from APCS Ltd regarding their investigation into the breach.
  • Arrangements have been put in place to provide further support to affected individuals in the form of CIFAS Protective Registration, Credit Monitoring Services for a fixed period and replacement of key documents.  The specific details and how to opt-in to those services will be provided to affected individuals at our earliest opportunity.



Further updates will be provided as soon as possible. 



Our Incident Response Team can be contacted via: incident@mcrpathways.org