British charities warn supporters their personal data has been breached

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

British charities warn supporters their personal data has been breached

UK charities including Shelter, the RSPCA, the Dogs Trust, Battersea Dogs and Cats Home, and Friends of the Earth have warned their supporters that hackers have stolen their data following a breach at a supplier.

The charities themselves haven’t been hacked. The problem instead lies with third-parties working with the charities to help them conduct surveys of their supporters.

An external web server run by Kokoro, a company that was working for survey firm About Loyalty, suffered a security breach spilling donator’s surnames, home addresses, email addresses, and information on past donations.

Sign up to our free newsletter.
Security news, advice, and tips.

Charities affected, including the RSPCA and Shelter, have contacted their supporters via email, warning them of the threat.

Shelter email

Friends Of The Earth told the Daily Mail that some 93,000 of its supporters had had their data breached.

Kokoro’s privacy policy claims that the company has “appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way” and that it has “procedures in place to deal with any suspected data security breach.”

Part of Kokoro's privacy policy
Part of Kokoro’s privacy policy

All fine words, of course, but it’s no guarantee – of course – that they won’t ever suffer a hack.

And you, as a supporter of a particular charity, are probably completely unware that Kokoro exists at all, let alone that it has a copy of your personal information.

Fortunately, the charities had not shared more sensitive information – such as passwords and financial details – which could have potentially put supporters at even greater risk.

Nonetheless, there remains the potential for charity supporters to be targeted by scammers who might use the stolen information to send convincing-looking emails which might ask for more sensitive information, or dupe recipients into clicking on shady links.

It would obvious be a great shame if this security breach shook anyone’s confidence in supporting such worthy charities who – quite frankly – have done nothing wrong other than work with suppliers who appear to have not secured their systems tightly enough.

The incident has been reported to the Information Commissioner’s Office (ICO) and Charity Commission.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.