We want to reassure all our customers that our systems remain completely secure and have not been compromised in any way. You can continue to use Single Central Record services as normal, and you will continue to receive the excellent customer service experience you are accustomed to.
We understand there is concern about this incident, which took place outside of our own internal servers. However, we want to emphasise that this does not affect our current operational systems in any way. We have acted swiftly to investigate the data found on the third-party's systems and have informed affected organisations as quickly as possible. To help support you through this process, we have provided a sample template that you can use with your data subjects.
We have answered all questions which are currently within our immediate knowledge and are continuing investigations to understand the full extent of the situation. Unfortunately, some of these investigations are outside of our control as they are being carried out by the third party subject to the breach and also the police.
In the meantime, please find below an updated list of frequently asked questions to address the most common queries we have received:
Our systems remain robust and have not been breached. We continue to operate as normal and you can use our services with complete confidence. This incident involved a third-party software provider and was not directed at Single Central Record.
Q: Was Single Central Record specifically targeted in this cyber attack?
A: The cyber attack was not directed at SCR directly. It was aimed at our third-party software provider, which serves many clients from a diverse range of industries.
Q: What types of data were found in the data analysis?
A: The files we analysed contained incomplete and scrambled records. The fragments alone did not identify individuals or organisations. To make sense of the data, we cross-referenced each record against our secure, unbreached OnlineSCR live database to match teacher IDs and schools. It was a complex process to reconstruct the information, which offers some reassurance that the data could not be easily interpreted by an unauthorised party. To help affected schools assess the impact, we prepared and shared an Excel spreadsheet summarising the findings. This spreadsheet reformatted the raw fragments into a clearer view of what each file contained, even though it did not reflect the exact original layout of the breached data.
Q: Has any criminal records information been compromised?
A: Our understanding is that no information relating to criminal records has been exposed. At this early stage of the investigation, we can confirm that the compromised data is limited to that which has been notified to you already.
Q: What is the current status of the data held by the third-party software provider?
A: We have been informed by the third-party software provider that this data has been deleted.
Q: Do you have any evidence that the compromised data has been misused?
A: We currently have not received any evidence as of 15th September 2025 or confirmation that the data has been published on the dark web and have not had any reported records of identity theft. However, the police are conducting an ongoing investigation.
Q: What key areas are being investigated in this data breach?
A: The ongoing investigation by the third-party software provider is focused on the following key areas:
Q: Are the police involved in this investigation?
A: Yes, a police investigation is underway to identify those responsible for the breach.
Q: Have you engaged legal experts to review this incident?
A: We have engaged specialist commercial lawyers to conduct a thorough review of our third-party relationships and to provide recommendations where necessary. We are also liaising directly with the legal advisors of the third-party software provider.
Q: Are you strengthening your third-party contracts?
A: As part of this process, we are working closely with our legal advisors to ensure all third-party contracts are updated and strengthened where and if they consider necessary. We wish to reiterate that we are confident that our relationships with third parties are secure and this recent attack is not reflective of how secure our practices are.
Q: What additional measures have you implemented for data governance?
A: We have appointed an external specialist Data Protection Officer to further enhance our data governance. We will share more updates on this appointment and other developments as they become available.
Q: Can individuals request deletion of their data?
A: Individuals can make such requests, and we can remove from our internal servers. However a hard copy extraction of the data which was subject to the cyber-attack was delivered up by third-party software provider. This data is being retained and preserved for law enforcement purposes and to support the ongoing investigation. Once this is complete, the data will be destroyed.
Q: What is your current position on credit monitoring and compensation?
A: We are currently exploring whether credit monitoring can be offered. In respect of compensation, we suggest that individuals retain information in respect of any losses. As we have a legal team instructed who will be dealing with claims, we will not be responding to requests for compensation until the outcome of the investigation as liability has not yet been determined.
(More questions and answers will be added over time)
Q: Can we continue using Single Central Record Ltd services safely?
A: Yes, absolutely. It is important to note that our systems were not compromised and they were not the subject of a cyber-attack. We remain fully operational and our own servers and systems remain secure. You can continue using our services normally with confidence.
Q: Was this attack targeted at our organisation?
A: No. This was a separate attack on a third party’s internal systems which are separate from our own. The third party provides software services as part of their business.
Q: What was the cause of the unauthorised access to the third party systems?
A: We were informed by the third party that the unauthorised access was the result of a malicious cyber-attack by an external entity. Investigations are still ongoing as to the detail of the attack.
Q: Have you reported this to the ICO? What’s the reference number?
A: Yes, we reported this on 18th August 2025 as a precautionary measure. ICO Reference: IC-415209-Y2T2. However, as Data Controllers, you must make your own ICO report if the breach poses risk to individuals’ rights and freedoms. You can reference our number to help the ICO understand these reports relate to the same underlying incident.
Q: Why did you contact our account manager instead of our Data Protection Officer (DPO)?
A: We don’t specifically hold DPO contact details on our systems. We sent the notification to the contact we hold as the manager for your organisation account. We specifically instructed them to share the information to your DPO.
Q: What should we tell our staff about this incident?
A: You can use or adapt the Data Breach Notification Template we provided which includes risk-based messaging depending on which data categories were affected. Further information for your data subjects on how to protect themselves from the impact of a data breach can be found on the NCSC website www.ncsc.gov.uk/guidance/data-breaches.
Q: What data was actually compromised?
A: Where we have been provided with confirmation from the third party regarding the kind of data that has been compromised, we have provided that data directly to the customer via an Excel Spreadsheet, which was prepared by us – the spreadsheet contains details of the data that was compromised. The spreadsheet itself was not compromised but prepared by us as a means of effectively communicating the nature of the data.
Q: What data was potentially compromised?
A: No passwords, banking details, account access information, criminal conviction information, or photographic material (passport/driving licence photos) were compromised. However, the nature of the information potentially compromised includes national insurance numbers, passport numbers and driving licence details.
Q: Why did the third party have our data?
A: It is currently being investigated as to how our data was made available on the third party’s systems. We wish to clarify that the third-party contractor was contracted to provide software services only. We will update this page when our investigation concludes.
Q: What certification does Single Central Record Ltd have?
A: We have ISO 27001 and Cyber Essentials Plus certification. You can view these by following the links below. We have also included a link to our ICO Data Protection Registration Certificate.
Q: What happens next?
A: We will continue to publish updates on this page as information becomes available.
For questions about your organisation’s specific affected data:
Email: security@onlinescr.co.uk
Please note: Due to high volume, we may not be able to respond individually to every query. This page addresses the most common questions and will be updated regularly with new information.
On 17th August 2025, we were notified by our third party software supplier that they had been a victim of a cyber-attack, and an area of their system had been subject to unauthorised access. The incident itself occurred on 31st July 2025 and enquiries are being made into the delay in reporting to us. A preliminary report from the third party set out that copies of a number of files were obtained and that some of these files contained personal data. We are aware that the third party had copies of some of our data on their own servers, and we are actively investigating how and why this occurred. Our investigations are ongoing to determine how the data was extracted and impacted by the cyber-attack. We are committed to ensuring the highest standards of data protection and are taking all necessary steps to address this situation.
We want to reassure our customers that our internal operational systems were not compromised and remain fully secure. We continue to uphold our ISO 27001 certification and Cyber Essentials Plus accreditation. These certifications reflect our rigorous security measures and our dedication to maintaining the highest level of data protection.
We remain committed to transparency and security. Organisations can continue using our services with complete confidence. We are in communication with the ICO in respect of the data breach and are also in communication with the third party. We will continue to provide updates on this webpage as the investigation develops.
Immediate Actions confirmed by Third Party:
Actions by Single Central Record Ltd:
We have provided a list of the compromised data categories for each data subject to the relevant data controllers. Please note: Only text data was affected – no passwords, banking details, or account access information were compromised. No photographic material has been compromised (e.g. passport / driving licence photos).
If you are the data controller, you are required to:
To minimise your administrative burden and ensure appropriate guidance for your data subjects:
We recognise the severity of this incident and will do our best to support you through this process. The materials provided follow a measured approach to meet obligations while focusing on actual risks.
We will publish updates on this page as more information becomes available and to address frequently asked questions. Please check this page for further updates as we may not be able to respond individually to every request.
Please direct any further enquiries regarding this incident to security@onlinescr.co.uk.
