UK criminal records office admits ‘website maintenance’ was cyber incident
ACRO, the U.K.’s criminal records office, has admitted that the “essential website maintenance” it has claimed for more than two weeks was actually the response to a cybersecurity incident.
The nature of the incident has not yet been disclosed. ACRO is a policing service that provides certificates to Britons with details of their criminal records to attach to visa applications when applying to travel and work abroad.
It first announced on Twitter on March 21 that its website was undergoing maintenance, meaning certificate applications could not be completed using its online portal. The website currently thanks users for their patience for what it describes as “our technical issues.”
However, the service has sent emails to potentially affected users this week, as first reported by the Evening Standard newspaper, warning them that hackers may have accessed “identification information and any criminal conviction data.”
Under data protection regulations in the U.K., organizations must inform data subjects within 72 hours if they have suffered a data breach. The regulator, the Information Commissioner’s Office, said it was “making enquiries” regarding the incident.
Although its website and Twitter account have still not referenced an incident, a spokesperson for ACRO did so in a statement provided to The Record, saying “as soon as we were made aware of this incident we took the customer portal offline.”
“At this time we have no conclusive evidence that personal data has been affected by the cyber security incident,” they added.
The incident affected the website from January 17 until it was discovered in March, but was not made public until April.
A spokesperson for the office told The Record they could provide an additional comment on why the agency failed to disclose the incident earlier “because of the ongoing investigations,” but said there did not appear to be any risk to payment information.
“We are continuing to work with the appropriate authorities to fully investigate,” said the spokesperson, adding that people who needed to use the service would still be able to submit applications via email.
A spokesperson for the U.K.’s National Cyber Security Centre said: “We are aware of an incident affecting ACRO Criminal Records Office and are working with them to fully understand the impact.”
Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.