UK criminal records office suffers two-month "cyber security incident"
ACRO was forced to shut its systems offline and security experts are suggesting ransomware may be involved


The UK’s national office for managing criminal record information (ACRO) has confirmed it’s currently trying to recover from a two-month “cyber security incident”.
Few details were revealed by the organisation and other authorities, other than that the attack took place between 17 January and 21 March 2023.
There is currently no evidence that personal data or payment information has been affected by the incident, ACRO told ITPro.
ACRO was forced to take its website offline on 21 March.
The same day, ACRO’s customer service Twitter account alerted customers that the outage was due to “essential website maintenance” and that online applications were unavailable.
The organisation has still not publicly alerted customers of a cyber security incident via official channels.
Some members of the cyber security industry have suggested the incident is related to a ransomware attack.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Asked by ITPro, neither ACRO, the National Cyber Security Centre (NCSC), nor the Information Commissioner’s Office (ICO) commented on the involvement of ransomware.
“We are aware of a cyber security incident affecting the ACRO Criminal Records Office website and are working with national agencies to fully investigate,” ACRO told ITPro.
“We take data security very seriously and as soon as we were made aware of this incident we took the customer portal offline. At this time we have no conclusive evidence that personal data has been affected by the cyber security incident."
ACRO is currently working with authorities to investigate the incident further.
The organisation’s website is currently displaying a single page with essential customer information only, directing them to ACRO’s Twitter account for up-to-date guidance.
According to its customer service Twitter account, ACRO was initially forced to accept applications for police certificates by post only.
A week later it set up dedicated email addresses to receive applications for both police certificates and international child protection certificates.
ACRO has a number of core duties, one of which is to check if a suspect in the UK has a record of criminal convictions from other countries.
It also provides police certificates for those who wish to emigrate from the UK, or need a visa to live or work aborad.
The document is usually required by foreign embassies and equivalent institutions to grant entry into their respective countries.
International child protection certificates are required for individuals who wish to work with children in countries outside the UK.
Individuals can also file subject access requests to ACRO to obtain copies of police records about them.
Analysis of the ACRO cyber incident
The timeframe of the incident will undoubtedly spark criticism of ACRO and its handling of the case.
Failing to inform the public about a cyber attack for nigh-on three months will be seen as a major miscalculation by whoever’s decision to was to keep this under wraps.
‘Cyber attack’ isn’t the exact verbiage used by ACRO, but the incident is more than likely to be characterised as just that, and it wouldn’t be the first organisation to shy away from what some consider to be ‘scary’ wording of an incident.
Earlier this year Minneapolis Public Schools went so far as to refer to its incident as an “encryption event”, prompting mockery from many corners of the cyber security community.
RELATED RESOURCE
Mapping the digital attack surface
Why global organisations are struggling to manage cyber risk
The attack was later claimed by the Medusa ransomware operation.
Concerning incident disclosures, it is widely considered best practice in the security industry that transparency is best for both the attacked organisation, and its customers and stakeholders.
Clearly communicating the ways ACRO’s staff have been making productive steps towards responsibly remediating the issue would have made for better optics here.
We don’t know for sure if ACRO knew about the incident from 17 January, but it did confirm that’s when it first started. The office may have only been made aware of the attack at a later date.
As confirmed by ACRO on Wednesday evening, it has “allocated more resources” to its staff to deal with mounting enquiries.
It has asked individuals travelling after 1 June to wait until 7 May to submit their certificate applications so they can respond to requests “in a timely manner”.
The office is evidently strained as a result of the attack and it will be hoping for a fast recovery.
With the NCSC engaged, ACRO would likely have been advised to hire third-party incident response specialists to help it with the recovery.
If ransomware is involved, it’s likely that the NCSC will be leading negotiations with the threat actors.
A rare insight into how the NCSC negotiates with cyber criminals was made public earlier this year after LockBit published its entire chat history between it and Royal Mail International.
The disclosure from ACRO today raises more questions than it answers.
Over the coming days, it will need to publicly disclose the incident through its own channels, not just comments made to the media, and explain why it took so long to inform the public of the truth behind all the disruption.
It will also need to outline how it plans to recover, providing clear estimated time frames, and offer more to convince that the sensitive data it safeguards remains safe.
If an attacker were to have access to an individual’s criminal records, for example, the damage they could do could theoretically be far greater than what could be achieved with just a name, home address, and phone number - the type of data often stolen in cyber attacks.
It would also make the data highly valuable, worthy of the lofty ransoms often demanded by modern-day cyber criminals.
Ultimately, ACRO has a great deal to answer for, and the public will undoubtedly be demanding greater transparency from a public office with the keys to such important and sensitive information.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Using WinRAR? Update now to avoid falling victim to this file path flaw
News WinRAR users have been urged to update after a patch was issued for a serious vulnerability.
-
Amazon CEO Andy Jassy doubles down on the company's AI focus
News Amazon CEO Andy Jassy thinks companies need to "lean into" AI and embrace the technology despite concerns over job losses.
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.