The Criminal Records Office (ACRO) in the UK recently confirmed that issues with its online portal were the result of an event involving cyber security. The update from ACRO followed weeks of delays on a statement being issued following online portal issues that have been experienced since as early as January 17 this year.

ACRO is Britain’s dedicated national law enforcement organisation, charged with the management of recorded information on criminals, sharing criminal records with nations overseas and providing criminal records when requested.

Disclosure of security incident

The recent confirmation from ACRO comes after the UK law enforcement organisation announced back on March 21 that user applications could no longer be made via its official online portal due to activity it described as “essential website maintenance.”

Just a day before this notification, ACRO had warned of substantial delays to issue police certificates, as applications were taking longer to process because of heavy demand.

The UK organisation’s dedicated website was inactive from approximately March 31 onwards. It displayed a message to users stating that it was unavailable because of technical problems. As a result, portal users were asked to make any applications for international child protection or police certificates through email channels, with ACRO reaching out for payment at a later date.

In a statement that it shared on its Twitter account, the law enforcement agency officially declared the website maintenance conducted last month in March to be linked with a cyber incident.

Official statements issued

In an official notification from ACRO, a spokesperson for the UK agency issued a cyber incident statement. The advisory read:

“ACRO Criminal Records Office has experienced a cyber security incident, the impact of which is primarily causing delays to the issuing of Police Certificates. As soon as we were made aware on 21st March of the incident, we took robust action to take the application portal offline so we could fully investigate. We have emailed all applicants who may have been affected.”

The UK-based law enforcement organisation appended this statement regarding the exposure of personal data. It stated that, at present, it was yet to discover any conclusive evidence that any personal info was impacted during the cyber security incident. However, according to a recent report by the Evening Standard newspaper, the agency has told impacted applicants now that both criminal conviction data and identification information were affected by the event.

The statement from ACRO commented that the law enforcement agency is presently working alongside the relevant authorities to both investigate the incident and remediate its impact. Among the experts that ACRO is working with are teams from the UK’s National Cyber Security Centre (NCSC).

Finally, ACRO added:

“Our services to policing and other agencies, along with our criminal record exchanges with overseas countries, are still operational.”

Organisations and agencies responsible for storing and handling sensitive information on data subjects are prime targets for threat operators. These malicious actors steal confidential information and threaten disclosure for payment, or sell it on to others for profit.