UK criminal records office suffers two-month "cyber security incident"

The UK’s national office for managing criminal record information (ACRO) has confirmed it’s currently trying to recover from a two-month “cyber security incident”.

Few details were revealed by the organisation and other authorities, other than that the attack took place between 17 January and 21 March 2023.

There is currently no evidence that personal data or payment information has been affected by the incident, ACRO told ITPro.

ACRO was forced to take its website offline on 21 March.

The same day, ACRO’s customer service Twitter account alerted customers that the outage was due to “essential website maintenance” and that online applications were unavailable.

The organisation has still not publicly alerted customers of a cyber security incident via official channels.

Some members of the cyber security industry have suggested the incident is related to a ransomware attack.

Asked by ITPro, neither ACRO, the National Cyber Security Centre (NCSC), nor the Information Commissioner’s Office (ICO) commented on the involvement of ransomware.

“We are aware of a cyber security incident affecting the ACRO Criminal Records Office website and are working with national agencies to fully investigate,” ACRO told ITPro.

“We take data security very seriously and as soon as we were made aware of this incident we took the customer portal offline. At this time we have no conclusive evidence that personal data has been affected by the cyber security incident."

ACRO is currently working with authorities to investigate the incident further.

The organisation’s website is currently displaying a single page with essential customer information only, directing them to ACRO’s Twitter account for up-to-date guidance.

According to its customer service Twitter account, ACRO was initially forced to accept applications for police certificates by post only.

A week later it set up dedicated email addresses to receive applications for both police certificates and international child protection certificates.

ACRO has a number of core duties, one of which is to check if a suspect in the UK has a record of criminal convictions from other countries.

It also provides police certificates for those who wish to emigrate from the UK, or need a visa to live or work aborad.

The document is usually required by foreign embassies and equivalent institutions to grant entry into their respective countries.

International child protection certificates are required for individuals who wish to work with children in countries outside the UK.

Individuals can also file subject access requests to ACRO to obtain copies of police records about them.

Analysis of the ACRO cyber incident

The timeframe of the incident will undoubtedly spark criticism of ACRO and its handling of the case.

Failing to inform the public about a cyber attack for nigh-on three months will be seen as a major miscalculation by whoever’s decision to was to keep this under wraps.

‘Cyber attack’ isn’t the exact verbiage used by ACRO, but the incident is more than likely to be characterised as just that, and it wouldn’t be the first organisation to shy away from what some consider to be ‘scary’ wording of an incident.

Earlier this year Minneapolis Public Schools went so far as to refer to its incident as an “encryption event”, prompting mockery from many corners of the cyber security community.

The attack was later claimed by the Medusa ransomware operation.

Concerning incident disclosures, it is widely considered best practice in the security industry that transparency is best for both the attacked organisation, and its customers and stakeholders.

Clearly communicating the ways ACRO’s staff have been making productive steps towards responsibly remediating the issue would have made for better optics here.

We don’t know for sure if ACRO knew about the incident from 17 January, but it did confirm that’s when it first started. The office may have only been made aware of the attack at a later date.

As confirmed by ACRO on Wednesday evening, it has “allocated more resources” to its staff to deal with mounting enquiries.

It has asked individuals travelling after 1 June to wait until 7 May to submit their certificate applications so they can respond to requests “in a timely manner”.

The office is evidently strained as a result of the attack and it will be hoping for a fast recovery.

With the NCSC engaged, ACRO would likely have been advised to hire third-party incident response specialists to help it with the recovery.

If ransomware is involved, it’s likely that the NCSC will be leading negotiations with the threat actors.

A rare insight into how the NCSC negotiates with cyber criminals was made public earlier this year after LockBit published its entire chat history between it and Royal Mail International.

The disclosure from ACRO today raises more questions than it answers.

Over the coming days, it will need to publicly disclose the incident through its own channels, not just comments made to the media, and explain why it took so long to inform the public of the truth behind all the disruption.

It will also need to outline how it plans to recover, providing clear estimated time frames, and offer more to convince that the sensitive data it safeguards remains safe.

If an attacker were to have access to an individual’s criminal records, for example, the damage they could do could theoretically be far greater than what could be achieved with just a name, home address, and phone number - the type of data often stolen in cyber attacks.

It would also make the data highly valuable, worthy of the lofty ransoms often demanded by modern-day cyber criminals.

Ultimately, ACRO has a great deal to answer for, and the public will undoubtedly be demanding greater transparency from a public office with the keys to such important and sensitive information.