What has happened?
On 26 August 2025, we were notified that a third-party supplier, Intradev Limited who provides software services to multiple organisations across various sectors including Online Single Central Register (OnlineSCR), had been the victim of a cyber-attack. Importantly, this was not a targeted attack on schools or the education sector. Intradev serves multiple organisations across various sectors, and the attackers would not have known whose data they were accessing.
We use OnlineSCR to manage our Single Central Record, which is a statutory requirement under Keeping Children Safe in Education (KCSIE) for organisations working with children.
The Online SCR itself was not affected.
Who has been affected?
The breach has affected a limited number of individuals who either currently work for the Trust, or who have worked for us in the past. All current members of staff who are affected have been contacted as have former colleagues who we hold contact details for.
What information has been affected?
In a small number of cases, the following information has been breached:
- Name
- Email address
- Postal address
- National Insurance Number
- QTS registration number (if applicable).
It does NOT include:
- Passport details
- Driver’s licence details
- Financial details
- Passwords
- Medical Information
- Information on disclosures (e.g. DBS checks)
- Information about protected characteristics or other special category data (e.g. Ethnicity, disability, gender, sexual orientation, marital status)
What if I haven’t been contacted?
If you are a current member of staff, and we have not contacted you directly, then you are not affected.
We have also contacted the vast majority of our former staff for whom we still hold up-to-date contact details. However, we were informed by our supplier that the data involved appears to have been taken from a snapshot in May 2025, which may have included some information that was no longer held in the OnlineSCR system. As a result, there is a small number of individuals we have not been able to match or notify.
If you have not been contacted, it is therefore unlikely that you have been affected. However, if you are concerned or unsure, you can contact us at dpo@archwaytrust.co.uk for further advice.
What is the Trust doing?
- All known affected individuals assessed as being at high risk have been contacted directly where possible.
- The incident has been reported to the Information Commissioner’s Office (ICO) in line with our legal obligations.
- We are working with our supplier who have confirmed that data access has been revoked from the third-party service provider, we are ensuring that they are meeting their legal and contractual obligations, and that we receive regular updates on the ongoing investigation. We have no indication from the authorities about timescales of any investigations.
- We have provided affected individuals with information on how they can protect themselves and provided information about keeping safe.
- Although this incident arose outside of our direct control, we are reviewing our response and processes to identify lessons learned and further strengthen the security of our data.
Is there anything I can do?
We encourage everyone to be especially cautious of scams. Criminals may use your personal details to make fraudulent contact appear more credible. Always verify unexpected communications using official contact details and never share sensitive information via phone or email.
Extensive guidance on how to protect yourself further is available here Cyber security advice for you & your family – NCSC.GOV.UK
We also recommend that you regularly check your own credit record using a reputable site, such as Experian or Clearscore and alert your bank/lender to anything that seems suspicious.
If you are concerned please contact DPO@archwaytrust.co.uk