On 28 August 2025, the BBC reported a serious DBS data breach involving Access Personal Checking Services (APCS). The incident exposed highly sensitive personal data submitted as part of criminal record checks – including passports, driving licences, and utility bills – across a wide range of industries.
To be absolutely clear – this breach did not involve Aaron’s Department in any way. We are completely independent from APCS, its associated brands, and the external developers behind their systems.
At Aaron’s Department, every platform we provide – from DBS Checks to TachoMagic and Employment Tools – is built and maintained entirely in-house. That decision was made years ago with security in mind: to give us full control, minimise vulnerabilities, and prevent the kind of risks that come from outsourcing critical systems to third parties.
The Scale of the DBS Data Breach
According to the BBC:
- Thousands of people applying for DBS checks through APCS were affected.
- Exposed data included identity documents such as passports, driving licences, and other sensitive information.
- The breach has been reported to the Information Commissioner’s Office (ICO).
- APCS paused all online DBS applications while investigating the incident.
The full BBC report can be found here.
Why Third-Party Vulnerabilities Are Dangerous
It has since emerged that APCS’s DBS platform was not built in-house. Instead, it was outsourced to a third-party developer, Intradev. Outsourcing critical infrastructure means less control over security, slower responses to threats, and a higher risk of breaches.
Intradev’s Managing Director admitted:
“This incident involved unauthorised malicious activity with our systems and is being treated as a significant IT incident… We are currently conducting a detailed investigation into the incident, including a review of the affected files and systems.”
For employers, this raises an important point: when you trust a provider with sensitive compliance checks, you’re also trusting the software behind it. If that software isn’t under direct control, you inherit risks you can’t see or manage.
How Aaron’s Department Keeps Data Safe
As a software company, Aaron’s Department takes a very different approach. We don’t outsource our platforms – we build them ourselves, in-house, from the ground up. This ensures we can protect our clients’ data with the highest possible standards.
Our systems are:
- 100% in-house developed and maintained – no reliance on third parties
- Hosted securely in the UK
- Regularly penetration-tested and externally audited
- GDPR-compliant and ICO-registered
Because we own every line of code and every server decision, we have full control over security. Problems are dealt with quickly, transparently, and without waiting for an external contractor.
What This Means for Employers
If you’re an organisation that relies on providing sensitive information, whether it be for DBS checks or any compliance software, it’s worth asking your provider:
- Who built your system, and who maintains it?
- Where is applicant data stored?
- How often is the platform security-tested?
- Can you guarantee GDPR compliance across the board?
If they can’t give you straight answers, that’s a red flag.
We’re Here to Help
At Aaron’s Department, we have has always believed that security is not an afterthought – it’s the foundation of everything we build. From DBS Checks to tachograph analysis, our platforms are designed to keep clients compliant and data secure.
If you’d like to explore a safer, more transparent alternative to outsourced systems, our team is here to help. Whether it’s advice, a chat about your current setup, or a full demo of our software, we’ll make sure you have the clarity and confidence you need.