Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. The Online SCR Data Breach: What You Need to Know
A digital illustration with a dark blue background features a laptop with a shield and an open padlock, symbolizing data security. Above the laptop, a cloud icon with interconnected lines represents cloud computing and network connections. The text on the image reads "THE ONLINE SCR DATA BREACH" in white and orange, and "What you need to know" in white. In the top left corner, a logo for "DATA PROTECTION OFFICER" is visible.
Best Practice Updates

The Online SCR Data Breach: What You Need to Know

The recent data breach involving Online SCR, an online provider of single central record (SCR) services, has put the personal data of education staff at risk.  The breach was a result of a cyber attack on a subcontractor.

The compromised information is highly sensitive and includes:

  • Names
  • Dates of birth
  • Email addresses
  • Home addresses and phone numbers
  • National Insurance numbers
  • Passport and driving license details

Online SCR is reportedly taking steps to address and investigate the issue and has reported it to the ICO, but schools have an obligation as data controllers.

What to do if your organisation is impacted

If you are a client of Online SCR and you have been notified about the breach, action is required.  These steps are based on guidance from the ICO:

  1. Don't panic, but act quickly - the clock starts ticking the moment you become aware of a breach.  You have a legal obligation to report it to the ICO and affected individuals in a timely manner.  DPE customers should contact us either by emailing This email address is being protected from spambots. You need JavaScript enabled to view it. or logging a ticket.  DPE will contact the ICO on your behalf.
  2. Contain the breach and assess the risk - work with Online SCR to understand the full scope of the incident.  This includes identifying what data has been compromised and which individuals are affected.  You should also take steps to limit any further damage, such as advising staff to change passwords
  3. Notify the ICO - even though the data processor, Online SCR, has reported the breach, the school, as the data controller should notify the ICO if the breach poses a risk to individuals.  This should be done within 72 hours of becoming aware of the incident.  DPE customers should log the breach on the Knowledge Bank portal and log a ticket if you require any further help and advice.
  4. Inform affected individuals - you should inform staff members whose data has been compromised.  Try to be transparent and not alarmist. DPE customers should contact us as we can provide help and support with the wording to the data subjects, offering ourselves as a contact for any questions or reassurance.  Provide clear and actionable advice so they can protect themselves such as:
    • Monitoring bank accounts
    • Watching out for phishing emails or scams
    • Offering to assist with passport renewals if passport details were compromised
    • Providing a point of contact at the school for any questions.
  5. Review and Learn - after the initial response, conduct a thorough review of what happened. 

Our understanding is that  it was a sub processor (Intradev) that was hacked.  Intradev should not have had this data in their environment.  It is not clear what the cyber criminals intend to do with the stolen data, but we would anticipate they are likely to threaten to release it onto the dark web unless an ransom is paid.b

Always do thorough due diligence on any new suppliers and their processors.  DPE customers should review our Supplier Due Diligence Best Practice Area.

©2025 Data Protection Education Ltd.

Search