Important update: DBS contractor breach

There has been a confirmed data breach at Intradev Limited, an external software contractor used by APCS (Access Personal Checking Services Ltd). Volunteering Matters’ own systems were not compromised. Here you can find latest information, including frequently asked questions.

We’re contacting affected staff and volunteers directly

If you do not hear from us, you are not affected and do not need to do anything.

Frequently asked questions (FAQs)

What happened

There has been a confirmed data breach at Intradev Limited, an external software contractor used by APCS (Access Personal Checking Services Ltd). Volunteering Matters’ own systems were not compromised. We were formally notified by APCS at on Saturday 23 August.

What this means for you

  • This incident was not caused by Volunteering Matters. Our systems remain secure.
  • The issue appears to relate to information held by the DBS contractor. We are working urgently with APCS/DBS to understand exactly what data was involved.
  • So far, this issue affects primarily England only.
  • If you are affected, we will email you. For those people we do not have an email address for, we will follow up by phone.
  • If you do not hear from us, you have nothing to worry about.

What we’re doing

  • Identifying affected volunteers and staff and contacting them directly.
  • Providing practical guidance in line with the Information Commissioner’s Office (ICO) and Action Fraud advice (e.g. be alert to suspicious contact, don’t share personal details, monitor accounts, and report concerns).
  • Notifying the ICO of concerns about data retention practices by the contractor and seeking assurances this will be rectified.
  • Keeping our Trustees briefed and monitoring the situation under our Audit & Risk framework.

If you’re affected

  • Be wary of unexpected emails, texts or calls asking for personal details.
  • Never share one-time passcodes or account logins.
  • Monitor your accounts for anything unusual and contact your bank if you spot anything.
  • Report phishing attempts or suspected fraud to Action Fraud and let us know if you’re worried.

Where to get help

  • Read our FAQs for practical steps and answers.
  • If you’ve received a notification from us and have questions, contact your Engagement Manager or email dataprotection@volunteeringmatters.org.uk.
  • If you believe you are at immediate risk of fraud, contact your bank and Action Fraud.

We’re deeply sorry for the concern this may cause. While this breach was external to Volunteering Matters, your trust matters to us. We’re acting with urgency, transparency and care.

Frequently asked questions

There has been a confirmed data breach at Intradev Limited, an external software contractor used by APCS (Access Personal Checking Services Ltd). Volunteering Matters’ own systems were not compromised.

Some volunteers and staff in England whose DBS applications were processed through APCS/Intradev before 9 May 2025.

  • No passwords, bank details or ID photographs were taken.
  • For older applications (more than 6 months old), only limited “management data” (e.g. name, DBS reference number, issue date, role type) should have remained.
  • For more recent applications (within the 6 months before 31 July 2025), more detailed ID information may have been retained by APCS.

It appears that data was being held outside the timescales within the APCS privacy policy and we are looking into why this was and was remedial action is being taken.

  • Higher risk if your NI number, passport or driving licence details were in the system at the time of the breach.
  • Lower risk if only your name and DBS reference remain.
  • The main risks are identity fraud or unsolicited contact.

Follow official guidance from the Information Commissioner’s Office (ICO) What steps should I take if I have experienced a data breach? | ICO and Action Fraud:

  • Stay alert to suspicious emails, calls or texts.
  • Do not share codes, IDs or personal data with unknown callers.
  • Check your bank accounts and credit file regularly for unusual activity or new loans.
  • Report suspicious activity to Action Fraud (0300 123 2040) and let us know.
  • If you are worried about safety (e.g. your personal contact details being held elsewhere), speak to your Engagement Manager.

  • Volunteering Matters is reporting Intradev’s retention failure to the ICO on behalf of all affected staff and volunteers.
  • You also have the right to:
    • Raise a complaint directly with APCS (the contractor responsible for holding the data).
    • Complain directly to the ICO if you feel your personal data has not been handled in line with the law: ICO – Raise a Concern.

  • Volunteers: you will receive an email and a follow-up call from your Engagement Manager if your data is on the affected list.
  • Staff: you will receive a direct email from HR. Staff will not be phoned unless on leave.

  • Compiling all affected names into a single secure log.
  • Contacting every affected volunteer and staff member with guidance and support.
  • Reporting Intradev’s retention failure to the ICO.
  • Working with DBS/APCS for full accountability.
  • Keeping Trustees fully briefed and ensuring the incident is monitored under our Audit & Risk framework.

Yes. We have had assurances that the DBS system is secure and that checks can continue safely. It is important that DBS checks remain in place for safeguarding and compliance reasons.

At present, yes. We are seeking further reassurances and additional security information from APCS. While we continue to monitor the situation, we are not currently planning to disrupt DBS checking services, as this would cause unnecessary delay and risk to safeguarding.

Other content you might be interested in

Diamond Day Thank You
Back to top of the page