Skip to main content

Doxxing Response for UK Journalists

Immediate steps and pre-emptive measures: Cloudflare protection, account hardening, ICO complaints, police reports, Glitch UK, PrivacyDuck, and legal options under the Protection from Harassment Act 1997 and Online Safety Act 2023.

Last reviewed: Next review due:

Immediate response: if you are being doxxed now

Doxxing attacks typically escalate quickly — the window between initial disclosure and real-world harm can be hours, not days. Act on all the steps below simultaneously if possible; do not wait until you have gathered comprehensive evidence before informing people in your home or reporting to police.

  1. 1
    Document everythingScreenshot every post or message containing your personal information, with URLs and timestamps. Save to a secure location you control — not only on the device that may be targeted.
  2. 2
    Inform trusted contactsTell people in your home, family, and workplace what is happening. They need to know in case of physical approaches, threatening calls, or unexpected visitors.
  3. 3
    Harden your accounts immediatelyChange passwords, enable 2FA on all major accounts, lock down social media profiles to friends-only or private. Use a password manager if you are not already doing so.
  4. 4
    Report to platformsReport doxxing content under each platform's privacy violation policies. All major platforms now have specific reporting routes for personal information disclosure, and the Online Safety Act 2023 requires them to respond more rapidly than before.
  5. 5
    Report to policeCall 101 or report online. If you believe you are at immediate risk, call 999. Provide your screenshots as evidence. Ask for a crime reference number — you will need it for other steps.
  6. 6
    File a complaint with the ICOIf your data is being published on a website without lawful basis, file a complaint at ico.org.uk/make-a-complaint. The ICO can order deletion and issue enforcement notices against UK-based data controllers.
  7. 7
    Contact NUJ welfareThe NUJ welfare team can provide support and connect you with specialist resources including legal advice and media-aware psychological support.

Legal options: Protection from Harassment Act 1997 and Online Safety Act 2023

The Protection from Harassment Act 1997 (PHA) creates both civil and criminal liability for harassment, including online campaigns of intimidation. A course of conduct involving at least two incidents can constitute harassment under the PHA. Victims can apply to the civil courts for an injunction restraining the harasser, and breaches of such injunctions are criminal offences. The PHA also creates the offence of stalking (s.2A and 4A, as amended by the Protection of Freedoms Act 2012), which encompasses persistent online monitoring and doxxing campaigns.

The Online Safety Act 2023 introduced new criminal offences directly relevant to doxxing: sending false communications with intent to cause non-trivial harm (s.179), and sharing intimate images without consent. The Act also imposed stronger duties on platforms to prevent priority illegal content — including content that facilitates harassment — and created a faster removal pathway. OFCOM is the regulator responsible for enforcement.

A media law solicitor can advise on whether the facts of your specific situation support a civil claim or criminal complaint. The NUJ can provide initial referrals. Legal aid for harassment injunctions is limited, but some specialist firms act on conditional-fee arrangements.

Protecting your website and online presence

Cloudflare for websites

If you run a personal website, put it behind Cloudflare. This hides your origin server IP address and provides DDoS protection. Use Cloudflare Registrar to also protect your domain registration WHOIS data.

Domain WHOIS privacy

Enable WHOIS privacy protection on all domain registrations through your registrar. This prevents your address appearing in public DNS records.

Social media profile lockdown

Switch public profiles to private or restrict who can tag you, see your connections, or send you messages. Remove location data from past posts.

Google account activity

Enable Google's "Results about you" feature to monitor when your personal information appears in search results and request removal. This is free and works across Google Search globally.

Pre-emptive: removing your data from broker sites

Data broker sites aggregate personal information from public records and sell it. Many UK journalists have their home address, phone number, and employer listed on such sites. Under the UK GDPR, you can request removal using your right to erasure (Article 17). This does not remove information from the underlying public records — it only removes it from the broker's published database.

For journalists at sustained or elevated risk, professional data removal services such as PrivacyDuck can handle the removal process across dozens of data broker databases simultaneously. The NCSC also publishes guidance on managing your personal digital footprint that covers both social media and data broker exposure.

  • Search for your name on major people-finder sites (192.com, ZoomInfo, and UK-facing equivalents) and submit removal requests under UK GDPR Article 17.
  • Request an anonymous electoral roll listing via your local Electoral Registration Office — this suppresses your address from the open register sold to commercial data users.
  • Remove your address from Companies House records if you are a director — use a registered office service address instead.
  • Use a PO box or professional address for public-facing journalism correspondence and press enquiry email addresses.
  • Consider PrivacyDuck or a similar managed removal service if you are at sustained risk and lack the time for manual opt-out.
  • The NCSC guidance on protecting your personal information online (ncsc.gov.uk) covers additional steps including social media hygiene and account separation.

Red flags: signs a doxxing situation is escalating

  • Your home address or family members' names appear in the same posts — this signals intent to extend harm beyond you personally.
  • Posts are being shared by accounts with large followings — the audience is being mobilised, not just the original poster.
  • You receive calls at your home phone or direct messages referencing specific personal details — someone is acting on the published information.
  • Multiple platforms are being used simultaneously — this indicates an organised campaign, not an individual actor.
  • Content includes explicit threats alongside personal information — this is a separate criminal offence and should be reported to police immediately.
  • Your employer or publication is also being targeted — notify your editor immediately so they can apply their own response protocols.
  • You receive delivery attempts, packages, or visitors at your home address that you did not initiate — this may indicate swatting preparation.

Common mistakes in doxxing response

  • Engaging publicly with the attack — responses, corrections, or denials on the same platform amplify the original content algorithmically.
  • Deleting your own accounts entirely — this destroys your ability to monitor the attack and contact platform support.
  • Waiting to report to police until the attack “gets serious enough” — early documentation and a crime reference number protect you if the situation escalates.
  • Not informing your employer or editor — they need to know to apply organisational protocols and to avoid being blindsided.
  • Only requesting removal from the original post without checking aggregator sites that may have copied the information within minutes.
  • Not changing passwords and enabling 2FA across all accounts — doxxing is often accompanied by account takeover attempts.

Support organisations

Glitch UK

Charity working to end online abuse, with specialist resources for journalists from marginalised groups. Free Self-care Toolkit available online.

https://glitchcharity.co.uk

ICO

File complaints about unlawful data processing, including doxxing sites. Right to erasure requests. Can issue enforcement notices and fines.

https://ico.org.uk/make-a-complaint

NCSC

Practical guidance on protecting personal information and responding to cyber threats. Free resources for individuals and organisations.

https://www.ncsc.gov.uk

NUJ Welfare

Support and referrals for journalists experiencing harassment, doxxing, or stalking. Also provides initial access to legal advice.

https://www.nuj.org.uk

Frequently asked questions

What is doxxing and why are journalists targeted?
Doxxing involves the public disclosure of a person's private information — typically home address, phone number, workplace, or family details — without consent, with the intent to harass or harm. Journalists are targeted because their work generates public attention and opposition. Investigative, political, and crime reporters face higher risk. Doxxing can escalate to swatting (false emergency calls to a target's address) in extreme cases. Under the Online Safety Act 2023, platforms now have stronger obligations to remove doxxing content rapidly.
Can I make a complaint to the ICO about doxxing?
Yes. Doxxing involves the processing of your personal data without a lawful basis, in violation of the UK GDPR (retained in UK law post-Brexit). You can complain to the Information Commissioner's Office (ICO) about the website or individual responsible. The ICO can investigate and order deletion of personal data. This is most effective against organised data broker sites rather than anonymous social media accounts. The ICO can also issue enforcement notices and fines against UK-based data controllers.
What criminal offences cover doxxing in the UK?
Several criminal offences may apply depending on the conduct: stalking (Protection from Harassment Act 1997), malicious communications (Malicious Communications Act 1988), threatening communications (Online Safety Act 2023 serious harm offence), and harassment (Protection from Harassment Act 1997). The Criminal Justice and Courts Act 2015 also covers disclosure of private sexual images. The Online Safety Act 2023 created a specific offence of sending false communications with intent to cause harm. Report to police via 101 or online. Gather evidence (screenshots with timestamps and URLs) before reporting.
How do I remove my address from the electoral register?
You can apply for an anonymous entry on the electoral register, which means your address is not published on the open register. Contact your local Electoral Registration Office and provide reasons relating to safety. For journalists, the risk of personal violence or harassment from the public is a recognised ground. Your address will still be held by the registration office but not shared with commercial data users.
What is Glitch UK and how can it help?
Glitch UK is a charity working to end online abuse, particularly affecting women and people from ethnic minority backgrounds. It provides resources, research, and direct support for individuals experiencing online harm. The Glitch Safety Team can provide guidance on responding to online abuse campaigns. Their Self-care Toolkit is available free at glitchcharity.co.uk.
What is PrivacyDuck and should I use it?
PrivacyDuck is a professional data removal service that submits opt-out requests to data broker sites on your behalf. It operates across UK and international people-search and data broker databases. It is a paid service, but for journalists at elevated risk it can be significantly more efficient than manual self-removal. Glitch UK and the NUJ can advise on whether a managed removal service is appropriate for your specific situation.