Online SCR Data Breach

FAQ: Online SCR Data Breach

• 1. Why did it take so long for me to be notified?

  There was a delay in Intradev informing Online SCR about the attack, and in Online SCR subsequently informing us of the attack and then in telling us which individuals had been affected. Since we received the names of those impacted on 26 August, we have worked carefully through the list to firstly categorise people into high, low and minimal risk groups based on the types of data accessed and to identify exactly who the individuals are (e.g. current staff, former staff etc.) and locate their current contact details. It has been a huge undertaking, supported by all the impacted schools, to piece together exactly who everyone is and how best to contact them, sending emails to most, dealing with bouncebacks and subsequently posting letters to or telephoning some people.  

• 2. Who was affected?

  The breach impacted many people from the following groups: 

  • Current and former staff at all 12 of our Academy Trust schools 

  • Current and former Foundation Office staff  

  • Current and former Governors across the organisation 

  • Current and former volunteers, contractors and casual workers. 

  The independent schools were not affected, with the exception of some people who were impacted through association with another of our schools or central functions. 

  Online SCR have indicated that data entered into their system before May 2025 may be affected. 

• 3. What data was accessed?

  The compromised data varied by individual. As of 12/9/25, we have been able to contact the vast majority of people whose data was compromised, notifying them of the categories of their data that could have been compromised and whether this put them in a high, low or minimal risk group. This is based on information from Online SCR. In the notification we sent you, we outlined who you should contact for further details about the data accessed. Several people have asked if we can tell them the specific information that was compromised e.g., which address. Unfortunately, such information has not been released to us. We have only received a list of names of those impacted and the data categories affected for each person. Question 5 outlines further why we do not have access to this information. 

• 4. Who was responsible?

  While this data breach occurred at a third-party subcontractor (Intradev Limited) to one of our suppliers (Online SCR), we acknowledge our responsibility as data controller for ensuring appropriate safeguards are in place when engaging data processors. We are conducting a thorough investigation into this incident, as we know other impacted organisations are doing, and we also anticipate that the Information Commissioner’s Office will be making its own enquiries. We submitted an initial report to the ICO within 72 hours of being notified of the breach, as data protection regulations require.   

• 5. Is my data still held in Online SCR?

  An organisation’s SCR contains the following information about people who have been vetted for their role. Online SCR does not hold copies of any checks made or documents, only the date a check was undertaken and the resulting reference number or compliance category.  

  Data	Record
  Identity	Checks confirmed, date check
  Address	Full address
  Children’s Barred List	Clearance confirmed, date of check
  National Insurance number	NI number (for cyclical checks), date of check
  DBS	DBS Reference number, date certificate seen
  Prohibition from Teaching Check	Date of check or N/A
  Section 128	Date of Check or N/A
  Overseas Check	Date of check or N/A
  QTS	Date of Check or N/A
  Qualifications	Date of check
  Right to work	Type of RTW document provided e.g. passport, ID card, birth certificate, date seen (not a copy of the document)
  Medical	Date of check
  Reference 1	Date received
  Reference 2	Date received
  Update Service	DBS number, date of check
  Agency Safeguarding	Date of confirmation of checks from an agency
  Contractor Safeguarding	Date of confirmation of checks from a contractor
  Safeguarding Completed	Safeguarding training completion date
  Employment History	Date of check
  Photo ID	Type of ID provided, date of check (not a copy of the document)
  Additional Checks	Any additional check dates
  Internet/Social Media checks	Date of checks made

  Holding this data is a statutory requirement and inspectors will check that a school has a functioning and accurate SCR during any inspection. The most sensitive categories of data that some individuals have had compromised in this breach (e.g. passport and driving licence numbers) are not actually stored in the Online SCR system at all and thus cannot be viewed or accessed in the system by schools or the Foundation Office. We have been informed that this data was being held digitally in audit logs by Intradev, which was unknown to Online SCR. Audit logs are records of when a system is accessed and what operations were performed. We understand that these particular audit logs were created when information was submitted by individuals during applications for DBS checks.  

  We have been assured by Online SCR that upon discovery of the breach, Intradev immediately took its affected servers offline, changed external IP addresses reconfigured external routers, rebuilt its servers with additional security measures installed and changed all domain passwords. We have been assured that the data is no longer being held by Intradev. 

  Online SCR has also assured us that it has conducted a security review of its own systems and confirmed that these were not compromised. They have also restricted access to their system access for third party personnel while the situation is under investigation. 

• 6. Does the organisation have to compensate people?

  Organisations are not required to offer compensation or other financial support following a data breach. Following careful consideration of our legal obligations, financial responsibilities, and regulatory requirements, and seeking professional advice on these matters, we are not offering to fund protective services such as CIFAS registration or passport renewals for affected individuals. This decision is based on the following factors: 

  • There is no legal obligation under UK GDPR or Data Protection Act 2018 for data controllers to pay for such protective services 

  • The Department for Education requires its approval for novel, contentious or repercussive payments 

  • Our insurance coverage does not extend to voluntary payments for protective services 

  • We must preserve funds for our core educational mission 

  • The Academy Trust must balance its duty of care to affected staff with its responsibilities as a public body managing limited resources in accordance with statutory requirements 

  • The Foundation Charity must act within its charitable objects. 

  We understand this may be disappointing to those who have enquired about this, and we recognise the genuine concern this incident has caused. While we cannot fund protective services, we remain committed to supporting you through clear guidance, resources, and transparent communication about steps you can take to protect yourself. We advise anyone who believes they have suffered damage as a result of this breach to seek independent legal advice about their options. 

• 7. What should I do if I haven’t received a notification?

  It is likely that if you have not received a notification, this means you have not been affected by the breach. If you have reason to believe you might have been affected but haven’t received a notification: 

  • Check your email spam folder (we are aware that some of our email messages bounced). 

  • Make contact with the person who arranged your engagement with the school. 

  The organisation is actively working to identify and reach all affected individuals, including using alternative contact methods. 

• 8. What steps can I take?

  There are certain steps you can take to protect yourself from the risk of identity fraud, including: 

  • Be alert for phishing emails and text messages – messages where the sender is prompting you to click links or enter your details 

  • Enable two-factor authentication across all your important accounts where this is available (e.g. email, social media accounts, Paypal, WhatsApp, online shopping services such as Amazon) 

  • Never give your personal data to unsolicited callers 

  • Verify any unexpected contact by calling the organisation directly using their official telephone number. 

  Further advice on using passwords to protect your data and spotting and reporting suspicious correspondence is available from the National Cyber Security Centre.  Further advice and support are also available from Action Fraud. 

  You can also use credit checking services to monitor for new applications made in your name (suppliers include Experian https://www.experian.co.uk/ , Equifax https://www.equifax.co.uk/ , or TransUnion https://www.transunion.co.uk/ who all provide free checking services). 

  The ICO website also has useful information at What steps should I take if I have experienced a data breach? | ICO and Identity theft | ICO 

  Such is the regularity of data breaches across different aspects of life, we would always recommend these steps to keep your information safe, and to minimise the risk of identity fraud, regardless of this data breach notification.