The names, addresses, phone, national insurance and passport numbers of school staff members may have been “compromised” in a cyber attack on the IT provider of a firm that maintains background check records for schools. has written to its customers to inform them it has been notified by its software supplier Intradev Limited of a data breach. Schools are required by law to keep a single central record of data gathered in checks made on staff before their appointment to jobs. These can be maintained by external providers, like SCR. Director Mark Gardner confirmed to Schools Week the organisation was 鈥渘otified by a third-party contractor on Sunday August 17 that they had been subject to a cyber attack. 鈥淚t is suspected by them that some of our data may have been compromised during that cyber attack.鈥 It is not known how many schools and trusts are affected, but SCR has many clients including several large academy trusts, which have thousands of staff between them. Company holds teachers’ personal data Schools Week understands data held by SCR that may have been compromised includes the names, dates of birth, email and home addresses, phone numbers, as well as national insurance, driving licence and passport numbers of school staff. However, Gardner said the 鈥渆xtent and nature of the data which has been compromised is still under investigation and we are doing everything we can to liaise with the third party to understand how and why our data has been compromised. 鈥淕iven that investigations are still ongoing, we cannot confirm the extent of the data which has been compromised or provide any specific details at this stage. To do so would be speculation and premature.鈥 It is understood one of the lines of enquiry is into why data held by SCR could be accessed via its software supplier. Law firm Browne Jacobson has It said: “Personal data relating to staff at several of our client schools and trusts has been compromised as a result of this breach, and we are supporting those schools and trusts with their reporting duties, managing communications with affected staff, and engaging with Online SCR. “Many schools are still closed for the school holidays, and so the communication from Online SCR may not yet have been picked up. “Additionally, many school data protection officers may also be on leave. However, important urgent action should be taken this week if you are affected.” Breach reported to the ICO Gardner said his company had been 鈥減roactive in communicating with our customers about this incident鈥 and had reported it to the Information Commissioner鈥檚 Office 鈥渁s a pragmatic approach and provided schools with comprehensive support materials鈥. 鈥淭his goes far above our obligations as a data processor and we are happy to go the extra mile for our customers during this difficult period. 鈥淲e remain in contact with the ICO and are utilising them as a resource to deal with the above along with dedicated regulatory and commercial lawyers.鈥 He added that SCR鈥檚 systems 鈥渞emain incredibly secure. 鈥淲e have revoked any access points we have with the third party and, as such, schools can continue using our services with complete confidence.鈥 And 鈥渨hilst we are incredibly confident in our own internal security, please rest assured that full due diligence is taking place with all our third party contractors and increased efforts to our policies will be further strengthened if necessary. 鈥淎s you can appreciate, we are conducting a thorough investigation which, given the recent notification, is still in its infancy. 鈥淲e will provide information directly to those affected as our investigation progresses. In the meantime, we request patience from our client in order for us to get to the bottom of the issue and report back as swiftly as possible.鈥 ‘Unauthorised activity’ Steve Cheetham, Intradev鈥檚 managing director, confirmed that on August 4, the company 鈥渋dentified unauthorised activity within our systems. Immediate containment measures were implemented, and a detailed investigation is now underway to understand the nature and scope of the incident. 鈥淎t this stage, the exact method of entry remains under investigation. The incident involved malicious unauthorised access, and we are treating it as a significant IT security event.鈥 Intradev is now reviewing 鈥渁ffected files and systems to determine what data may have been compromised. 鈥淲e are aware that certain files were accessed, and we are working to identify the types of data involved and the individuals potentially affected. 鈥淭his includes assessing the impact on our customers and their stakeholders, though we are not yet able to confirm the full list of affected parties or the date range of the data involved.鈥 Intradev has also reported the incident to the 鈥渞elevant authorities, including the Information Commissioner鈥檚 Office and Action Fraud, and continue to liaise with them as appropriate. 鈥淲e remain committed to fulfilling our legal and regulatory obligations and are handling this matter with diligence and care. We will continue to provide updates to our customers, where necessary, as our investigation progresses.鈥 Browne Jacobson told schools that use SCR to look out for emails from the firm, which “should inform you whether your staff data is affected, and if so, to what extent”.
Sue smith 29 August 2025 They have accessed all my personal data including my passport, date of birth, driving licence, phone number, birth place, home address and name. I am very unhappy
Sarah P 5 September 2025 Mine too – and my school only told me today!!! I am not even an employee – just a parent who has helped on school trips and helps the PTA. This breach is far wider than school employees, which doesn’t seem to have been picked up by the press.
Anon 30 August 2025 It is difficult to overstate the difficulty and worry this will have caused affected individuals. DBS checking data is a Godsend to the malevolently motivated due to the smorgasbord of data it requires. Online SCR’s data breach has resulted in thousands of staff losing the most sensitive personal information they possess and includes, passport number, town of birth, previous names, driving licence number, NI number, DoB, address, email and phone numbers. I am surprised there is not more ‘noise’ about this breach as it so widespread and has such sensitive personal data compromised. I would urge all in the sector to consider their online DBS check provider very carefully and seek additional guarantees as to the length of time data is held and which 3rd parties have access. Too late for many.
Buklau 1 September 2025 And these crackers want the rest of the country to trust them with our gov I’d and personal picture..
Bryan 2 September 2025 “Why data held by SCR could be accessed via its software supplier” So this would constitute the mishandling of our data by SCR by allowing an unauthorized third party access to our data, so we can press for compensation for the unnecessary distress this is now going to cause us.
Anon 3 September 2025 SCR’s Mark Gardner has clearly been trained in the Titanic Department of the Gerard Ratner School of Crisis Communications: 鈥淔ar above our obligations as a data processor… happy to go the extra mile for our customers during this difficult period… [SCR鈥檚 systems] remain incredibly secure…. Schools can continue using our services with complete confidence… We are incredibly confident in our own internal security.”