SK logo
August 28, 2025

Online SCR: data breach impacting educators

Online SCR: data breach impacting educators

Date updated:
f

In brief

As has already been reported, background check service provider Online SCR has experienced a major data breach which has impacted (and continues to impact) educators across the UK.

The breach is the result of a cyberattack on the systems of a subcontractor used by Online SCR in the delivery of its services. Most of the personal data which has been compromised relates to staff or former staff, but other categories of data subject have been implicated.

In more detail

Schools are legally obliged to keep a single central record of data gathered in background checks undertaken on prospect staff before their appointment to roles which involve working with children. These records can be provided and maintained by external suppliers, such as Online SCR. 

The subcontractor in question is a software developer, Intradev. Most of the clients we have spoken with thus far were not aware that Intradev was involved in the provision of Online SCR’s services.

The personal data which has been accessed and copied includes names, dates of birth, email addresses, home addresses, phone numbers, national insurance numbers and passport details.

Our understanding is that Intradev’s systems were infiltrated by sophisticated cybercriminals with malicious intent, before Online SCR customers’ personal data was accessed and copied. It is not clear yet what the cybercriminals intend to do with the stolen information, but in our experience it is common that cybercriminals threaten to release information on the dark web for auction unless a ransom is paid. 

The positive news is that Online SCR appears to be acting responsibly: they have informed all affected customers, have helped them to identify which data subjects have been implicated, and they have self-reported to the ICO.

What should you do?

If you do not use Online SCR, your organisation will not be impacted. 

If you do use Online SCR, then look out carefully for any updates from them. If you have been affected you should have heard from them, but if you do use Online SCR and have not heard from them, we recommend asking Online SCR to check to make sure.

We recommend taking the following steps if you have been affected:

  • Notifying the ICO that you are a data controller which is implicated – while Online SCR is taking responsibility with the ICO, technically, the responsibility to notify still lies with the relevant school or trust as data controller, so the ICO should be notified for good order. This should be done within 72 hours of becoming aware of the incident.
  • Notifying affected data subjects: if you have been affected, our understanding is that Online SCR is able to identify by name the precise data subjects affected. These individuals will need to be notified. We recommend doing so in a way which provides sensible self-help suggestions, such as working with organisations like Action Fraud, providing advice to affected individuals on how to look out for and avoid social engineering scams, and offering to help with passport renewals. Communications should be measured so that they are transparent and reassuring, but not alarmist.
  • Reviewing your terms of service with Online SCR to consider your options (such as termination or putting them on notice for any expenses or losses which may be incurred or suffered due to the breach).
  • Review any data protection impact assessment you carried out ahead of using Online SCR. If none was carried out, we recommend doing so. 

Stone King is available to assist with any of the above as may be required. Contact Lucas Atkin for more details.

On
Sector
Education