Data Security Notice

There was a delay in Intradev informing Online SCR about the attack, and in Online SCR subsequently informing us of the attack and then in telling us which individuals had been affected. Since we received the names of those impacted on 26 August, we have worked carefully through the list to firstly categorise people into high, medium and low risk groups based on the types of data accessed and to identify exactly who the individuals are (e.g. current staff, former staff etc.) and locate their current contact details. It has been a huge undertaking, supported by all the impacted schools, to piece together exactly who everyone is and how best to contact them.

The breach impacted many people from the following groups: 

• Current and former staff at all 4 of our Academy Trust schools including central staff

• Current and former Governors/Trustees across the organisation 

• Current and former volunteers, contractors and casual workers. 

The independent schools were not affected, with the exception of some people who were impacted through association with another of our schools or central functions. 

Online SCR have indicated that data entered into their system before May 2025 may be affected. 

The compromised data varied by individual. As of 02/09/25, we have been able to contact the vast majority of people whose data was compromised, notifying them of the categories of their data that could have been compromised and whether this put them in a high, medium or low risk group. This is based on information from Online SCR. In the notification we sent you, we outlined who you should contact for further details about the data accessed. Several people have asked if we can tell them the specific information that was compromised e.g., which address. Unfortunately, such information has not been released to us. We have only received a list of names of those impacted and the data categories affected for each person.

While this data breach occurred at a third-party subcontractor (Intradev Limited) to one of our suppliers (Online SCR), we acknowledge our responsibility as data controller for ensuring appropriate safeguards are in place when engaging data processors. We are conducting a thorough investigation into this incident, as we know other impacted organisations are doing, and we also anticipate that the Information Commissioner’s Office will be making its own enquiries. We submitted an initial report to the ICO within 72 hours of being notified of the breach, as data protection regulations require.  

An organisation’s SCR contains the following information about people who have been vetted for their role. Online SCR does not hold copies of any checks made or documents, only the date a check was undertaken and the resulting reference number or compliance category.  

Holding this data is a statutory requirement and inspectors will check that a school has a functioning and accurate SCR during any inspection. The most sensitive categories of data that some individuals have had compromised in this breach (e.g. passport and driving licence numbers) are not actually stored in the Online SCR system at all and thus cannot be viewed or accessed in the system by schools or the HR staff. We have been informed that this data was being held digitally in audit logs by Intradev, which was unknown to Online SCR. Audit logs are records of when a system is accessed and what operations were performed. We understand that these particular audit logs were created when information was submitted by individuals during applications for DBS checks.  

We have been assured by Online SCR that upon discovery of the breach, Intradev immediately took its affected servers offline, changed external IP addresses reconfigured external routers, rebuilt its servers with additional security measures installed and changed all domain passwords. We have been assured that the data is no longer being held by Intradev. 

Online SCR has also assured us that it has conducted a security review of its own systems and confirmed that these were not compromised. They have also restricted access to their system access for third party personnel while the situation is under investigation. 

Organisations are not required to offer compensation or other financial support following a data breach. Following careful consideration of our legal obligations, financial responsibilities, and regulatory requirements, and seeking professional advice on these matters, we are not offering to fund protective services such as CIFAS registration or passport renewals for affected individuals. This decision is based on the following factors: 

• There is no legal obligation under UK GDPR or Data Protection Act 2018 for data controllers to pay for such protective services 

• The Department for Education requires its approval for novel, contentious or repercussive payments 

• Our insurance coverage does not extend to voluntary payments for protective services 

• We must preserve funds for our core educational mission 

• The Academy Trust must balance its duty of care to affected staff with its responsibilities as a public body managing limited resources in accordance with statutory requirements 

We understand this may be disappointing to those who have enquired about this, and we recognise the genuine concern this incident has caused. While we cannot fund protective services, we remain committed to supporting you through clear guidance, resources, and transparent communication about steps you can take to protect yourself. We advise anyone who believes they have suffered damage as a result of this breach to seek independent legal advice about their options. 

Please be assured that we are treating this matter with the utmost seriousness and have taken immediate steps to manage and respond to the incident as well as working closely with our insurers under the Risk Protection Arrangement (RPA) to ensure appropriate handling of any compensation claims.

If you wish to pursue a compensation claim, please be advised that:

• All such claims will be referred to and managed by the school or Trust’s insurers.
• The Trust is unable to admit liability for the breach

To initiate a claim, you may use the following link to access the appropriate form:

TopMark Claims Management

Stay alert to unexpected emails, calls, or letters that mention personal details about you
Never give personal information to unsolicited callers, even if they seem to know details about you
Verify any unexpected contact by calling the organisation directly using their official number

Monitor for new applications made in your name:

Check your credit report (free from Experian 0800 013 8888, Equifax 0800 014 2955, or TransUnion 0330 024 7574)
Look for any new accounts, credit searches, or applications you didn’t make

Criminals may use your personal details to make contact seem more credible:

Phone calls claiming to be from official organisations who reference your personal information
Emails or letters asking you to verify or provide additional details
Any communication that creates urgency or pressure to act immediately

Remember: Knowing your details doesn’t make them genuine. Legitimate organisations won’t ask for sensitive information over the phone or email.

If you notice any unusual activity or applications you didn’t make:
Report it to Action Fraud: 0300 123 2040 or visit police.uk
Keep records of any suspicious contact or activity

Support and Information
For general advice:
Citizens Advice: 0808 223 1133
Action Fraud: 0300 123 2040
For data protection concerns: ICO: 0303 123 1113
Employee Assistance Programme – 08000 856 148  and  Member Login : Workplace Options

Visit ‘Have I Been …Pwned to check if your email address is in a data breach: https://haveibeenpwned.com/

Get Safe Online: https://www.getsafeonline.org/selfhelpcentre/

Extensive guidance on how to protect yourself further is available here Cyber security advice for you & your family
Cyber security advice for you & your family – NCSC.GOV.UK

If you are concerned please contact [email protected]