back to article Criminal records office yanks web portal offline amid 'cyber security incident'

ACRO, the UK's criminal records office, is combing over a "cyber security incident" that forced it to pull its customer portal offline. As the name implies, the government agency manages people's criminal record information, running checks as needed on individuals for any convictions, cautions, or ongoing prosecutions. It …

  1. tiggity Silver badge


    Unimpressed that their Twitter posts linked in the article were not telling the full story about it being a "cyber attack" - they mentioned maintenance, but without saying it was enforced maintenance due to a security incident (so implying it was just more routine maintenance).

    We need a culture of openness about such things, especially when it was widely known* this was due to cyber attack

    * Mentioned on security related forums & apparently on Twitter by various people

  2. Korev Silver badge

    We're not sure ACRO should be handing out security advice right now but in any case, it urged users to make sure they use "strong and unique passwords"

    Even with a 1000 character-long random password, this wouldn't have helped if the miscreants had compromised the system and have access to some very sensitive data.

    Having a unique password is always sensible though.

  3. cyberdemon Silver badge

    "we have no conclusive evidence that personal data has been affected by the cyber security incident"

    = "we have evidence that personal data has been affected by the cyber security incident, but it is not considered to be conclusive evidence, because we haven't concluded (or started) our investigation yet"

  4. sitta_europea Silver badge

    "We take data security very seriously ..."

    So seriously, in fact, that

    (1) we didn't notice crooks were using our computers for more than two months and

    (2) we freely admit that *now* we're going to find out how not to let that happen.

    If people are taking it seriously, how come every friggin' day there's another million-plus personal data breach?

    I'm beginning to think it should be illegal to have personal data on systems which are connected to the Internet.

    I'm not convinced that *anybody* is capable of protecting it.

    1. VoiceOfTruth Silver badge

      Quick, there's been a digital burglary or break in. What should we do?

      1. Get the boilerplate out there...

      -> "We take data security very seriously ..."

      Every single time.

      -> I'm not convinced that *anybody* is capable of protecting it.

      That's about right. Think Solarwinds.

    2. Mike Pellatt

      "We take data security very seriously ..."

      It's the same sort of terminological inexactitude as

      "Your call is important to us"

      when you've been told that 50 times after being on hold for 25 minutes.

      It clearly isn't the least bit important to you, otherwise you'd have, you know, actually answered the call by now.

  5. VoiceOfTruth Silver badge

    Inside job?

    The Met (and no doubt most other police forces in the UK) has been labelled institutionally corrupt, racist, sexist, and homophobic from top to bottom. Perhaps whoever is investigating the CRO blag should start by calling in every PC who has ever been near it.

    1. Binraider Silver badge

      Re: Inside job?

      One does not have to look far in the UK to find someone corrupt, racist, sexist or homophobic on some level.

      Saying that that proportions of the met have issues is not really any different to saying society at large has issues, which, for all of the best efforts, it absolutely has issues.

      It could be worse. There was a job advert circulated recently (and quickly taken down but not before screenshots taken) of an org in Dallas insisting on white males only within 60 miles of the city.

      1. I am David Jones

        Re: Inside job?

        “Saying that that proportions of the met have issues is not really any different to saying society at large has issues”

        It absolutely is different in my book. People who are paid to police illegal behaviour, and who are given extra powers to do so, should be held to a much higher standard. Basically zero tolerance for their own illegal behaviour and for any colleagues who see it but don’t report it.

        1. anothercynic Silver badge

          Re: Inside job?

          One thing that I wondered when the new Commissioner for the Met claimed that people had volunteered to be part of the 90+ people investigating people in the Met was that whether any of those volunteers had in turn been checked, vetted and investigated to yazoo or not!

          After all, what better way to make sure your mates in your dodgy Whatsapp group are not caught being homophobic, xenophobic, misogynist and dodgy by volunteering to investigate the dodgy apples in the cart that is the Met! And when you *do* discover that one of them *is* in fact being investigated, you post "Landslide!" into the group to terminate it immediately, whilst going on about your business possibly manufacturing evidence against those who are investigating or those who've wronged you?

          I know, call me paranoid, but given I've seen documentaries from reputable networks about corruption in the Met and how the culture has continued to be as rotten as it is now, I think the above scenario is not outside reality...

    2. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    Underwear details available on line?

    Quote: "...typically includes a decade's worth of name and address history, extended family information, a new foreign address, legal representation, passport information, photo and data PIN cautions, reprimands, arrests, charges or convictions..."

    Ah yes.......that's what they say they have recorded!! I'm wondering what else is on the hacked grandfather's name and address? My second cousin's phone number and IP address? My hairdresser's partner's email address? The colour of my M&S underwear?

    I think we should be told!!

    1. Lis Bronze badge

      Re: Underwear details available on line?


      Not surprised you are a/c. You admit to wearing underwear by M&S? Are you posh?

  7. First Light Silver badge


    I'm wondering if some of those in the system were police informants, and whether or not that is indicated in the data, as would be their current, non-public addresses.

    Or, if someone is "hiring". There is no end to the usefulness of a database of crooks, for myriad people and a myriad of reasons.

  8. mark l 2 Silver badge

    I am assuming the data held within the ACRO database does not just relate to people who have a criminal conviction, since its what is used when you apply for a job/visa etc where they require you to provide a police certificate to see if you have any criminal convictions, then surely it must also hold the personal details of everyone who has had to make an application whether they had convictions or not?

  9. TheMaskedMan Silver badge

    "passport information, photo and data PIN cautions, reprimands, arrests, charges or convictions..."

    Am I correct in thinking there's at least one comma missing here, or are "photo and data PIN cautions" a thing? If so, what kind of thing are they?

    I'm assuming that PIN stands for Police Information Notice, which I understood to have (quite rightly) been discontinued years ago.

    I can't help noticing mention of arrests, with or without charge, much less conviction. The number of disclosable arrests is likely to go up rather sharply if the false positive figure of 1 in 6000 discussed in the article on face recognition is accurate.

  10. Anonymous Coward
    Anonymous Coward

    I had no choice

    I had to use this service recently after I accepted a job offer and handed my notice in elsewhere, I didn't know I'd need to do it - wasn't disclosed - and it was a requirement for me to start.

    I received no email saying my data is stolen, yet I know it should have been on their systems.

    The ICO should look at the scope of this because I suspect it's far larger than ACRO are currently admitting to.

    If you store identity and background data, there is absolutely no excuse for this utter incompetence.

    Heads should roll because of the potential damage this will do and lives it can ruin through identity theft. The whole business is based around keeping that information secure and away from crooks who can potentially now commit crime using your credentials!!!

  11. Richard Pennington 1

    Criminal records

    How long before the ACRO site features its own criminal record?

  12. Tron Silver badge

    Expect delays.

    If this site processes applications to work with kids or vulnerable people, then entire sectors are going to be unable to hire anyone any time soon, as their manual alternative will not be fast. And as well as rationing coach travel at the channel, you might have trouble getting a visa. I guess that's one way to stop Britons' 'freedom of movement'.

  13. greenwood-IT

    Thoughts and Prayers

    Rather than extract the data, it would be far more "fun" to add details to past Prime Ministers records :-) It's not always what you can take, but sometimes what you can give back to society :-)

  14. PuffinRub

    Will we get answers?

    The RIPE database shows that it's run by Hertfordshire County Council, the I.T. company responsible went under in 2012 after being brought out by an American I.T. organisation (whose directors are all based in the United States) which is turn was purchased by a massive venture capital company. The IT Systems Administrator job required only an ITIL Foundation certification but don't just take my word for it: []

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like