Last reviewed: Next review due:
Immediate response: if you are being doxxed now
Doxxing attacks typically escalate quickly — the window between initial disclosure and real-world harm can be hours, not days. Act on all the steps below simultaneously if possible; do not wait until you have gathered comprehensive evidence before informing people in your home or reporting to police.
- 1Document everythingScreenshot every post or message containing your personal information, with URLs and timestamps. Save to a secure location you control — not only on the device that may be targeted.
- 2Inform trusted contactsTell people in your home, family, and workplace what is happening. They need to know in case of physical approaches, threatening calls, or unexpected visitors.
- 3Harden your accounts immediatelyChange passwords, enable 2FA on all major accounts, lock down social media profiles to friends-only or private. Use a password manager if you are not already doing so.
- 4Report to platformsReport doxxing content under each platform's privacy violation policies. All major platforms now have specific reporting routes for personal information disclosure, and the Online Safety Act 2023 requires them to respond more rapidly than before.
- 5Report to policeCall 101 or report online. If you believe you are at immediate risk, call 999. Provide your screenshots as evidence. Ask for a crime reference number — you will need it for other steps.
- 6File a complaint with the ICOIf your data is being published on a website without lawful basis, file a complaint at ico.org.uk/make-a-complaint. The ICO can order deletion and issue enforcement notices against UK-based data controllers.
- 7Contact NUJ welfareThe NUJ welfare team can provide support and connect you with specialist resources including legal advice and media-aware psychological support.
Legal options: Protection from Harassment Act 1997 and Online Safety Act 2023
The Protection from Harassment Act 1997 (PHA) creates both civil and criminal liability for harassment, including online campaigns of intimidation. A course of conduct involving at least two incidents can constitute harassment under the PHA. Victims can apply to the civil courts for an injunction restraining the harasser, and breaches of such injunctions are criminal offences. The PHA also creates the offence of stalking (s.2A and 4A, as amended by the Protection of Freedoms Act 2012), which encompasses persistent online monitoring and doxxing campaigns.
The Online Safety Act 2023 introduced new criminal offences directly relevant to doxxing: sending false communications with intent to cause non-trivial harm (s.179), and sharing intimate images without consent. The Act also imposed stronger duties on platforms to prevent priority illegal content — including content that facilitates harassment — and created a faster removal pathway. OFCOM is the regulator responsible for enforcement.
A media law solicitor can advise on whether the facts of your specific situation support a civil claim or criminal complaint. The NUJ can provide initial referrals. Legal aid for harassment injunctions is limited, but some specialist firms act on conditional-fee arrangements.
Protecting your website and online presence
Cloudflare for websites
If you run a personal website, put it behind Cloudflare. This hides your origin server IP address and provides DDoS protection. Use Cloudflare Registrar to also protect your domain registration WHOIS data.
Domain WHOIS privacy
Enable WHOIS privacy protection on all domain registrations through your registrar. This prevents your address appearing in public DNS records.
Social media profile lockdown
Switch public profiles to private or restrict who can tag you, see your connections, or send you messages. Remove location data from past posts.
Google account activity
Enable Google's "Results about you" feature to monitor when your personal information appears in search results and request removal. This is free and works across Google Search globally.
Pre-emptive: removing your data from broker sites
Data broker sites aggregate personal information from public records and sell it. Many UK journalists have their home address, phone number, and employer listed on such sites. Under the UK GDPR, you can request removal using your right to erasure (Article 17). This does not remove information from the underlying public records — it only removes it from the broker's published database.
For journalists at sustained or elevated risk, professional data removal services such as PrivacyDuck can handle the removal process across dozens of data broker databases simultaneously. The NCSC also publishes guidance on managing your personal digital footprint that covers both social media and data broker exposure.
- ›Search for your name on major people-finder sites (192.com, ZoomInfo, and UK-facing equivalents) and submit removal requests under UK GDPR Article 17.
- ›Request an anonymous electoral roll listing via your local Electoral Registration Office — this suppresses your address from the open register sold to commercial data users.
- ›Remove your address from Companies House records if you are a director — use a registered office service address instead.
- ›Use a PO box or professional address for public-facing journalism correspondence and press enquiry email addresses.
- ›Consider PrivacyDuck or a similar managed removal service if you are at sustained risk and lack the time for manual opt-out.
- ›The NCSC guidance on protecting your personal information online (ncsc.gov.uk) covers additional steps including social media hygiene and account separation.
Red flags: signs a doxxing situation is escalating
- Your home address or family members' names appear in the same posts — this signals intent to extend harm beyond you personally.
- Posts are being shared by accounts with large followings — the audience is being mobilised, not just the original poster.
- You receive calls at your home phone or direct messages referencing specific personal details — someone is acting on the published information.
- Multiple platforms are being used simultaneously — this indicates an organised campaign, not an individual actor.
- Content includes explicit threats alongside personal information — this is a separate criminal offence and should be reported to police immediately.
- Your employer or publication is also being targeted — notify your editor immediately so they can apply their own response protocols.
- You receive delivery attempts, packages, or visitors at your home address that you did not initiate — this may indicate swatting preparation.
Common mistakes in doxxing response
- Engaging publicly with the attack — responses, corrections, or denials on the same platform amplify the original content algorithmically.
- Deleting your own accounts entirely — this destroys your ability to monitor the attack and contact platform support.
- Waiting to report to police until the attack “gets serious enough” — early documentation and a crime reference number protect you if the situation escalates.
- Not informing your employer or editor — they need to know to apply organisational protocols and to avoid being blindsided.
- Only requesting removal from the original post without checking aggregator sites that may have copied the information within minutes.
- Not changing passwords and enabling 2FA across all accounts — doxxing is often accompanied by account takeover attempts.
Support organisations
Glitch UK
Charity working to end online abuse, with specialist resources for journalists from marginalised groups. Free Self-care Toolkit available online.
https://glitchcharity.co.ukICO
File complaints about unlawful data processing, including doxxing sites. Right to erasure requests. Can issue enforcement notices and fines.
https://ico.org.uk/make-a-complaintNCSC
Practical guidance on protecting personal information and responding to cyber threats. Free resources for individuals and organisations.
https://www.ncsc.gov.ukNUJ Welfare
Support and referrals for journalists experiencing harassment, doxxing, or stalking. Also provides initial access to legal advice.
https://www.nuj.org.ukFrequently asked questions
What is doxxing and why are journalists targeted?
Can I make a complaint to the ICO about doxxing?
What criminal offences cover doxxing in the UK?
How do I remove my address from the electoral register?
What is Glitch UK and how can it help?
What is PrivacyDuck and should I use it?
Related guides
Primary sources
- ICO — Make a Complaint (Right to Erasure)— Information Commissioner's Office
- NCSC — Protecting Personal Information— National Cyber Security Centre
- Glitch UK — Online Abuse Resources— Glitch UK
- NUJ Online Safety Hub— National Union of Journalists
- Protection from Harassment Act 1997— legislation.gov.uk
- Online Safety Act 2023— legislation.gov.uk
- OFCOM — Online Safety Regulation— OFCOM
- PrivacyDuck — Data Broker Removal Service— PrivacyDuck