Major charities reassure supporters as regulators assess data breach

27 Sep 2023 News

By Thaut Images, Adobe

Charities including RSPCA, Shelter, Dogs Trust, Battersea and Friends of the Earth have moved to reassure their supporters over their data as regulators assess a cyber attack at a sector supplier.

The Information Commissioner’s Office confirmed it is making enquiries into a data breach at research company Kokoro, a partner of charity sector consultancy About Loyalty.

Kokoro investigated the breach and told About Loyalty that hackers were able to access supporter details including names, email addresses and historic donation information. 

The Charity Commission confirmed that a number of charities had been affected by the data breach and filed serious incident reports with it. 

A Commission spokesperson said: “We can confirm that, in line with our guidance, a number of charities affected by a data breach at a third-party company have reported a serious incident to us.

“We are assessing the information provided to determine whether the trustees are handling the matter appropriately.”

About Loyalty works with more than 40 UK charities but it is not known how many charities have been affected by the cyber attack.

Shelter said it had reported the incident to both the ICO and the Charity Commission and paused all work with the company.

RSPCA said it had similarly contacted the regulators and conducted its own investigation “to ensure an incident like this will not happen again.”

Financial information not accessed, say suppliers

About Loyalty said it informed the affected charities immediately after the breach last month and that hackers were not able to access postal addresses, financial information or identity documentation. 

“Our third-party research partner, Kokoro, recently informed us that they had experienced a cybersecurity incident which may have involved access to some data relating to a subset of About Loyalty’s clients,” a spokesperson for About Loyalty said.

“This information was limited to supporter contact details and historic donation information.”

Meanwhile, a Kokoro spokesperson said: “We launched an immediate investigation with the support of external IT security specialists and engaged in mitigation, containment and recovery measures.

“We are confident that the incident has now been contained and there is no ongoing risk to our systems and we have notified those whose data has been impacted.”

Friends of the Earth: ‘We have told our supporters potential risks to look out for’

Hugh Knowles, co-executive director at Friends of the Earth, said: “We’ve been informed by a consultancy we work with, About Loyalty, that a supplier they work with has been affected by a data breach involving some of our supporters’ data. 

“We are taking this incident very seriously. While we’re certain that no sensitive or financial data has been accessed, we have been contacting our supporters to let them know about the breach, the potential risks to look out for and who to contact if they’re concerned.

“Cyber-attacks of this nature are an unfortunate reality in our digital world and Friends of the Earth has robust processes and procedures in place to protect our supporters’ data. 

“We’re reviewing what happened and working closely with About Loyalty to understand the details and extent of the data breach.”

Shelter: ‘Incredibly sorry’

Tim Gutteridge, director of finance and strategy enablement at Shelter, said: “The data breach at a research company we were working with did not include any sensitive or financial details, but we are incredibly sorry for any concern this incident may cause.  
“The research company has carried out a detailed forensic investigation and assured us there is no evidence to suggest the data has been shared further and all of the data has since been destroyed. We have reported the incident to both the ICO and the Charity Commission and paused all work with the company,” he said. 

“We take our responsibility for protecting our supporter’s data very seriously, have robust measures in place, and have taken all the necessary steps without wanting to cause undue alarm. We will continue to monitor the situation closely and will do everything possible to prevent this from happening again.”

Battersea: ‘The privacy of our supporters is of the utmost importance’

A Battersea spokesperson said: “About Loyalty has informed us that their sub-processor has recently been the subject of an IT security incident.

“No sensitive personal data or financial information has been accessed, however some contact information for members of the public may have been and, whilst there is unfortunately no way to know if supporters have been directly affected by the incident, there is no evidence that any data has been used in an unauthorised way.

“We have taken this matter very seriously and the safety and privacy of our supporters is of the utmost importance; therefore, as a precaution, we have contacted those who may have been affected to offer support and advice.”

RSPCA: ‘No evidence that this data has been shared further’

An RSPCA spokesperson: “We were concerned to hear about a security breach involving a company which holds limited information about some of our supporters – this does not include financial information. 

“Although there is no evidence that this data has been shared further, we contacted our supporters as a precaution to offer our reassurance and support. We also informed the ICO and the Charity Commission about the breach.

“The safety and security of our supporters' details are paramount and we have a rigorous system in place to ensure that any personal data is safe and secure. We expect the same high standards from any company acting on our behalf.

“We conducted a thorough investigation as soon as this was brought to our attention to ensure an incident like this will not happen again.”

Dogs Trust: ‘We take this breach very seriously’

A Dogs Trust spokesperson said: “We are reliant on the generosity of our supporters, and we take the security of the data they share with us very seriously.

“As soon as we were informed that a third-party we have worked with for some time had experienced a data breach, we took action to establish what that meant for us and our supporters.

“We are confident that no sensitive personal or financial data was accessed, and we are in the process of informing all those supporters affected as a precautionary measure.

“Dogs Trust has been working closely with the third-party provider, the ICO and other charities affected, and we are confident that this security breach has been resolved and there is no continued risk to our supporters' information.

“We take this breach very seriously, and we have undertaken all the necessary measures to ensure this incident was appropriately dealt with and that similar incidents are prevented in future.”

For more news, interviews, opinion and analysis about charities and the voluntary sector, sign up to receive the free Civil Society daily news bulletin here.

More on