Cyber Incident Cripples UK Criminal Records Office
Ransomware May Be to Blame for ACRO’s System Shutdown.
After weeks of silence, the UK’s Criminal Records Office (ACRO) has issued a statement saying that the issues with the website that have been ongoing since January 17 were caused by a “cyber security incident.”
ACRO manages criminal record information, conducting checks on individuals as necessary to determine if they have any convictions, cautions, or pending prosecutions. Not only does it collaborate with British police and businesses, but it also shares this information with other nations.
What We Know So Far
The news comes after ACRO declared on March 21 that applications were no longer open through its online portal due to “essential website maintenance”.
The day before, it warned of significant delays in issuing police certificates because “heavy demand” caused applications to take longer to process. Since at least March 31, the ACRO website has been inaccessible due to “technical issues,” according to a message displayed on the website.
In a statement released earlier today on Twitter, the agency confirmed that a cyber attack was to blame for the website downtime that occurred last month.
Please see the following statement about a cyber security incident that is affecting ACRO services. pic.twitter.com/kCRrZ4lLvT
— Customer Services (@ACRO_Police_CST) April 6, 2023
ACRO Criminal Records Office has experienced a cyber security incident, the impact of which is primarily causing delays to the issuing of Police Certificates. (…) As soon as we were made aware on 21st March of the incident, we took robust action to take the application portal offline so we could fully investigate. We have emailed all applicants who may have been affected.
The UK police force also noted that no proof of compromised personal data has been found. But this week, it reportedly informed concerned applicants that their “identification information and any criminal conviction data” had been compromised, as reported by Evening Standard.
Could It Be Ransomware?
Cybersecurity experts are divided on whether or not this incident was caused by ransomware.
This is ransomware – for some reason the UK police criminal records office are trying to cover it up. https://t.co/tT51OgO3rh
— Kevin Beaumont (@GossiTheDog) April 5, 2023
We are aware of a cyber security incident affecting the ACRO Criminal Records Office website and are working with national agencies to fully investigate. (…) We take data security very seriously, and as soon as we were made aware of this incident we took the customer portal offline. At this time we have no conclusive evidence that personal data has been affected by the cyber security incident.
With the NCSC on board, ACRO was probably advised to hire third-party incident response specialists to assist with the recovery. If ransomware is involved, the NCSC is likely to lead negotiations with the threat actors.
In the coming days, ACRO is expected to divulge the incident through its own channels, not just through media comments, and to explain why it took so long to inform the public of the truth behind all of the disruption. In addition, it will need to explain how it intends to recover, with precise time estimates, and provide additional evidence that the sensitive data it protects is secure.
If an attacker gained access to a person’s criminal records, for example, the harm they could cause could theoretically be far more significant than what could be done with only a name, home address, and phone number – the type of material commonly taken in cyber attacks.