A research company which Shelter worked with to manage its annual supporter surveys recently made us aware that they were subject to a data security incident. The data breach did not include any sensitive or financial details, but we are incredibly sorry for any concern this may cause.
The research company has carried out a detailed forensic investigation and assured us there is no evidence to suggest the data has been shared further, and all of the data has since been destroyed. We have reported the incident to both the ICO (Information Commissioner’s Office) and the Charity Commission and paused all work with the company.
We take our responsibility for protecting our supporter’s data very seriously, have robust measures in place, and have taken all the necessary steps without wanting to cause undue alarm. We will continue to monitor the situation closely and will do everything possible to prevent this from happening again.
As a precaution only, we have contacted our supporters and are asking people to look out for any suspicious or phishing emails from accounts pretending to be Shelter or another trusted organisation – which may ask for sensitive information or include links to fake websites. There is more advice on how to protect yourself at the National Cyber Security Centre.
Once again, we are really sorry for concern caused. If you'd like more information, please do not hesitate to contact our supporter helpdesk by emailing info@shelter.org.uk or calling 0800 472 52 25 (lines are open Monday to Sunday, 8am–10pm).
What information was accessed?
The data was restricted to name, email address, postcode, and limited information about your relationship with us, for example, information on previous donations, if you campaign with us, or have taken part in an event - if applicable. The information did not include any sensitive or financial details, such as passwords or bank details – this kind of information was never shared with the research company.
Am I, or other people at risk of fraud?
The research company have assured us the risk is very low, and there is no evidence it has been shared further. None of the data contained sensitive or financial information, such as bank details, and it has since been destroyed.
But as a precaution we would always advise people to be vigilant about suspicious emails. Because the data affected included contact information, like your name and email address, there is a small chance that you could be sent an email pretending to be from Shelter or another organisation in order to access more sensitive information. Please note that a genuine email from us would never ask you to share or update your financial information over email.
There is more advice on how to protect yourself from fraudulent emails at the National Cyber Security Centre, and how to avoid them.
If you receive an email that you believe may be a phishing scam do not click on any links, instead report it to the National Cyber Security Centre (NCSC) at ‘report@phishing.gov.uk’.
How do I know if an email is really from you?
We are advising everyone to take care when opening any emails, practising caution if asked to share any personal information. Here are some of the ways to check if an email is a scam:
If an email appears to be from Shelter, it is worth checking the specific email address it has come from - for instance, does it end in @emails.shelter.org.uk.
It is also worth noting that Shelter will never contact you via email to ask you to provide your bank details or to update your card or bank details.
Do not reply directly to the email if you are concerned about its authenticity.
If you are unsure if an email is really from Shelter, please contact our Supporter Helpdesk by emailing info@shelter.org.uk or calling 0800 472 52 25 (lines are open from Monday to Sunday, 8am–10pm).
How do I know it is safe to donate to Shelter?
This data incident happened on an external server held by the research company we worked with. None of the data included sensitive or financial details.
We take our responsibility for protecting our supporter’s data very seriously and have robust measures to prevent its loss, misuse, or alteration. Our donation systems online and offline are secure and have not been compromised as part of this incident.
When you donate to Shelter we ensure the transmission is secure. We comply with PCI credit card standards, and we monitor our IT networks continuously. Shelter does not process your payment details; we use specialist payment gateway providers such as Apple pay or PayPal.
Why were you working with an external company and giving them people’s data?
We were working with a specialist company to help deliver our annual supporter survey, which helps us to better understand how our supporters feel about us and our work so that we can improve our supporters’ experience.
Shelter would never share or sell anyone’s personal data to a third-party organisation for marketing, fundraising or campaigning purposes. You can read our full privacy policy for England and Scotland for more information.
What is the name of the agency that experienced the data security incident?
About Loyalty are a research-based consultancy. They specialise in carrying out surveys with supporters to understand what they think about the charity, and how they feel about them. About Loyalty helped Shelter to deliver an annual supporter survey which helped us understand how our supporters feel about their relationship with us and our work. We shared a limited amount of supporter data with About Loyalty for them to carry out the annual survey – this does not include any sensitive or financial details.
About Loyalty, uses another company called Kokoro to help them process the survey results they collect, and it was this subcontractor who was subject to the data security incident carried out by an unauthorised third party. We take any threat to the privacy of our supporters very seriously and have taken every possible step to ensure this is fully investigated.
Who are Kokoro?
Kokoro are a data insights company and subcontractor of ‘About Loyalty’.
I am a Shelter supporter, why was I not contacted?
The research company we worked with only had data (in this case contact details) for a certain number of our supporters - they do not have data for everyone that supports Shelter.
We are only contacting our supporters whose data was being stored by the research company at the time of the incident, and therefore may have been affected.
If you believe you may have been affected and should have received a notification from Shelter, please do not hesitate to contact our Supporter Helpdesk either by emailing info@shelter.org.uk or calling 0800 472 52 25 (lines are open Monday to Sunday, 8am–10pm).
Who do I contact if I have questions or want to discuss this further?
For more information or to discuss this further, please do not hesitate to contact our Supporter Helpdesk either by emailing info@shelter.org.uk or calling 0800 472 52 25 (lines are open Monday to Sunday, 8am–10pm).