UK charities including Shelter, the RSPCA, the Dogs Trust, Battersea Dogs and Cats Home, and Friends of the Earth have warned their supporters that hackers have stolen their data following a breach at a supplier.
The charities themselves haven’t been hacked. The problem instead lies with third-parties working with the charities to help them conduct surveys of their supporters.
An external web server run by Kokoro, a company that was working for survey firm About Loyalty, suffered a security breach spilling donator’s surnames, home addresses, email addresses, and information on past donations.
Charities affected, including the RSPCA and Shelter, have contacted their supporters via email, warning them of the threat.
Friends Of The Earth told the Daily Mail that some 93,000 of its supporters had had their data breached.
Kokoro’s privacy policy claims that the company has “appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way” and that it has “procedures in place to deal with any suspected data security breach.”
All fine words, of course, but it’s no guarantee – of course – that they won’t ever suffer a hack.
And you, as a supporter of a particular charity, are probably completely unware that Kokoro exists at all, let alone that it has a copy of your personal information.
Fortunately, the charities had not shared more sensitive information – such as passwords and financial details – which could have potentially put supporters at even greater risk.
Nonetheless, there remains the potential for charity supporters to be targeted by scammers who might use the stolen information to send convincing-looking emails which might ask for more sensitive information, or dupe recipients into clicking on shady links.
It would obvious be a great shame if this security breach shook anyone’s confidence in supporting such worthy charities who – quite frankly – have done nothing wrong other than work with suppliers who appear to have not secured their systems tightly enough.
The incident has been reported to the Information Commissioner’s Office (ICO) and Charity Commission.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.