Important update: DBS contractor breach

There has been a confirmed data breach at Intradev Limited, an external software contractor used by APCS (Access Personal Checking Services Ltd). Volunteering Matters’ own systems were not compromised. Here you can find latest information, including frequently asked questions.

We’re contacting affected staff and volunteers directly

If you do not hear from us, you are not affected and do not need to do anything.

Frequently asked questions (FAQs)

What happened

There has been a confirmed data breach at Intradev Limited, an external software contractor used by APCS (Access Personal Checking Services Ltd). Volunteering Matters’ own systems were not compromised. We were formally notified by APCS at on Saturday 23 August.

What this means for you

  • This incident was not caused by Volunteering Matters. Our systems remain secure.
  • The issue appears to relate to information held by the DBS contractor. We are working urgently with APCS/DBS to understand exactly what data was involved.
  • So far, this issue affects primarily England only.
  • If you are affected, we will email you. For those people we do not have an email address for, we will follow up by phone.
  • If you do not hear from us, you have nothing to worry about.

What we’re doing

  • Identifying affected volunteers and staff and contacting them directly.
  • Providing practical guidance in line with the Information Commissioner’s Office (ICO) and Action Fraud advice (e.g. be alert to suspicious contact, don’t share personal details, monitor accounts, and report concerns).
  • Notifying the ICO of concerns about data retention practices by the contractor and seeking assurances this will be rectified.
  • Keeping our Trustees briefed and monitoring the situation under our Audit & Risk framework.

If you’re affected

  • Be wary of unexpected emails, texts or calls asking for personal details.
  • Never share one-time passcodes or account logins.
  • Monitor your accounts for anything unusual and contact your bank if you spot anything.
  • Report phishing attempts or suspected fraud to Action Fraud and let us know if you’re worried.

Where to get help

  • Read our FAQs for practical steps and answers.
  • If you’ve received a notification from us and have questions, contact your Engagement Manager or email dataprotection@volunteeringmatters.org.uk.
  • If you believe you are at immediate risk of fraud, contact your bank and Action Fraud.

We’re deeply sorry for the concern this may cause. While this breach was external to Volunteering Matters, your trust matters to us. We’re acting with urgency, transparency and care.

Frequently asked questions

There has been a confirmed data breach at Intradev Limited, an external software contractor used by APCS (Access Personal Checking Services Ltd). Volunteering Matters’ own systems were not compromised.

Some volunteers and staff in England whose DBS applications were processed through APCS/Intradev before 9 May 2025.

  • No passwords, bank details or ID photographs were taken.
  • For older applications (more than 6 months old), only limited “management data” (e.g. name, DBS reference number, issue date, role type) should have remained.
  • For more recent applications (within the 6 months before 31 July 2025), more detailed ID information may have been retained by APCS.

It appears that data was being held outside the timescales within the APCS privacy policy and we are looking into why this was and was remedial action is being taken.

  • Higher risk if your NI number, passport or driving licence details were in the system at the time of the breach.
  • Lower risk if only your name and DBS reference remain.
  • The main risks are identity fraud or unsolicited contact.

Follow official guidance from the Information Commissioner’s Office (ICO) What steps should I take if I have experienced a data breach? | ICO and Action Fraud:

  • Stay alert to suspicious emails, calls or texts.
  • Do not share codes, IDs or personal data with unknown callers.
  • Check your bank accounts and credit file regularly for unusual activity or new loans.
  • Report suspicious activity to Action Fraud (0300 123 2040) and let us know.
  • If you are worried about safety (e.g. your personal contact details being held elsewhere), speak to your Engagement Manager.

  • Volunteering Matters has reported Intradev’s retention failure to the ICO on behalf of all affected staff and volunteers.
  • You also have the right to:
    • Raise a complaint directly with APCS (the contractor responsible for holding the data).
    • Complain directly to the ICO if you feel your personal data has not been handled in line with the law: ICO – Raise a Concern.

  • Volunteers: you will receive an email and a follow-up call from your Engagement Manager if your data is on the affected list.
  • Staff: you will receive a direct email from HR. Staff will not be phoned unless on leave.

  • Compiling all affected names into a single secure log.
  • Contacting every affected volunteer and staff member with guidance and support.
  • Reporting Intradev’s retention failure to the ICO.
  • Working with DBS/APCS for full accountability.
  • Keeping Trustees fully briefed and ensuring the incident is monitored under our Audit & Risk framework.

Yes. We have had assurances that the DBS system is secure and that checks can continue safely. It is important that DBS checks remain in place for safeguarding and compliance reasons.

At present, yes. We are seeking further reassurances and additional security information from APCS. While we continue to monitor the situation, we are not currently planning to disrupt DBS checking services, as this would cause unnecessary delay and risk to safeguarding.

We understand that this situation may have caused difficulties for some staff and volunteers, and we want to support you as best we can.

Because Volunteering Matters was not the organisation responsible for the breach, any compensation would need to be claimed from the DBS provider, not directly from Volunteering Matters.

We are working with the Information Commissioner’s Office (ICO) and our data protection advisers to find the right way forward. Our early advice is that claims for financial losses would need to be made through a legal process. We will share clearer guidance as soon as we have it.

Volunteering Matters is committed to keeping you informed and supporting you through this process.

Yes. Volunteering Matters has reported the breach to the ICO and is awaiting a case reference number and further advice. The Q&As will be updated as soon as we receive additional guidance.

The breach happened within Intradev, a contractor used by APCS. VM’s own systems remain secure. VM has reported the matter to the ICO and is seeking legal advice on the appropriate next steps. At present, VM is not liable for the breach. Any legal or compensation claims would be against the DBS provider (APCS/Intradev), not VM.

We do not yet have the full technical details. The ICO investigation will clarify the exact cause. VM’s own systems were not compromised.

APCS/Intradev should only have held data for a limited period. Data older than 6 months should have been deleted. Retaining it longer was against their policy and is part of the issue reported to the ICO.

This is being clarified with APCS as part of our accountability process. VM has asked APCS for further assurances and is seeking additional security information.

We understand this concern. Because VM is not liable for the breach, any claims for costs would need to go through APCS/DBS. VM is taking legal advice on this and will update you when clearer guidance is available.

Passports and driving licences can be replaced, though this comes with cost. NI numbers and addresses cannot be changed. We understand this creates an ongoing sense of vulnerability, which is why we are taking this breach seriously and working with the ICO.

The data was accessed through Intradev’s systems. The ICO investigation will determine whether it has been misused or is circulating elsewhere. VM’s own systems remain secure

Not automatically. You should only consider replacing your passport if you see evidence it is being misused.

Yes. VM has reported Intradev’s data retention failure to the ICO. APCS are also under scrutiny as the contracting party.

There is a risk of misuse. That is why monitoring credit activity and using services like Cifas is advisable.

No. The breach only involved DBS application/Digital ID check data.

No. Bank details were not included in the data taken. VM’s finance systems are secure.

You do not need to report the breach itself — VM has already reported it to the ICO. But if you notice suspicious activity or fraud attempts, you should report those to Action Fraud (0300 123 2040).

  • Stay alert to suspicious calls, emails, or texts.
  • Do not share personal information with unknown contacts.
  • Monitor your credit report and bank accounts.
  • Consider services like Cifas.
  • Report suspicious activity to Action Fraud.

VM will keep all affected staff and volunteers updated by email as soon as the ICO provides further information.

Other content you might be interested in

Deliver You is here — your future, your voice!
Back to top of the page