Three Greater London Councils suffered a cyber attack last week are receiving feedback from cybersecurity experts at NCC Group as they continue to conduct multiple investigations into the incident.
Three neighboring authorities – the London Borough of Hammersmith and Fulham, the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council, which operate a number of shared systems – first identified the incident on 24 November.
Of the three, RBKC has already reported that some historical data was copied and deleted from its systems, although it was not encrypted or destroyed.
NCC teams were deployed alongside the National Cyber Security Center (NCSC), London Metropolitan Police and the National Crime Agency (NCA), with staff focused primarily on containing the impact of the attack and managing the three councils through the disruption, with a particular focus on restarting affected systems and public services as quickly as possible.
“Attacks on our public services require a diverse team response. Our team is working around the clock and under enormous pressure in a coordinated effort to limit the impact of this incident and work to continue providing essential services,” he said. NCC CEO Mike Maddison.
“As we have seen many times in similar scenarios, the path to safely restoring digital services may not be easy and will take time. This will be a difficult period for both residents of the affected areas and the team members of the tri-borough partnership who are working tirelessly to resolve this issue,” he added.
Elizabeth Campbell, leader of Kensington and Chelsea Council, added: “No council leader wants to hear the news that we have been attacked but, like any public body, the possibility has always existed.
“To counter this threat, we have invested heavily in our digital, information and technology services and have state-of-the-art cyber defense systems in place. This system has worked well in mitigating the damage. Our IT team is fighting back by investigating the cause and assessing the impact,” she said.
“We are confident we are taking all the right steps and we are very grateful to NCC Group's experts for being able to advise and support us. Their wealth of experience in helping the British Library, universities and other authorities recover from cyber-attacks is reassuring as we begin to recover,” Campbell said.
Ongoing disruptions
A week and a half after the incident was first discovered, widespread disruption continues in all three affected municipalities.
In Hammersmith and Fulham multiple services were affectedhowever, most of its online offerings are unavailable, including council tax accounts; payments for business tariffs; benefit accounts; housing, including repairs; parking permits, fines and blocking of street parking; freedom pass applications; and property licensing.
In its latest statement, released on Friday, November 28, the council said there was currently “no evidence” that its own systems had been hacked, but it was continuing to take enhanced security measures as part of its investigation.
A council spokesman said RBKC had informed it of the data theft and said it was investigating the matter with its neighbours.
Moreover, as of Monday, December 1, RBKC has introduced a number of mitigation measures as it works to restore service although, crucially, phone lines continue to be disrupted. He expects the disruption to last at least another two weeks.
It says residents experiencing genuine emergencies related to environmental health, housing and social services should contact the telephone numbers. available here. The company will also open a customer service center at Kensington Town Hall over the weekend of 6-7 December for emergency face-to-face appointments.
For council tax and business rates payments, RBKC systems continue to be disrupted for those paying by direct debit, so residents are advised to keep funds in their accounts so collections can be made once they are back online. Other payment methods are available as usual.
RBKC's IT and security budget is more than £12 million a year and the council said that in this case its systems worked as intended, allowing it to detect the cyber attack more quickly and take action. This may have limited the scope of the incident.
Westminster Council is also continuing to respond to the incident. In its latest update, published on Thursday, December 4, a spokesman said: “We want to reassure residents that council services are operating, although some disruption remains. Our priority is to keep services running and support the most vulnerable members of our community, and we apologize for any inconvenience.”
Riots in Westminster applies to multiple servicesincluding rent and service charges; council tax and business rates; home renovation; applications for payment of local support; reservation of public places; birth, death and marriage certificates; referrals to children's services; complaints; licensing; and online waste collection and recycling services, including collection of bulky items and requests for additional recycling bags. Libraries are open as usual but cannot accept new members.
Like its neighbors, it expects the outages to continue for some time and is also working to confirm the exact nature of the data breach.
“We have a team of specialists working to understand the scope and potential impact of any data breach from shared services. Our investigations are ongoing at this time and we encourage everyone to follow cybersecurity advice and service users are asked to be particularly vigilant when receiving calls, emails or text messages,” the spokesperson said.
All three councils urge residents, clients and other service users to be particularly vigilant about their personal details and to be wary of any unexpected contact via email, phone or text message. Additional information for consumers on how to stay safe after a data breach available from NCSC.
Hackney Council is not involved.
It was previously reported that Hackney Council, which was the victim of a major incident, at the hands of the Pysa ransomware gang in October 2020.v., also suffered from the latest incident. This is now known to be false.
A Hackney Council spokesman said: “Hackney Council was not affected by the cyber attack which has reportedly affected some councils in London. Media reports suggesting otherwise are wrong.
“We have strict measures in place to ensure the security of our services and we have reminded all staff of their responsibilities to ensure data protection.”
Public services on the front line
Although the big story of 2025 was one of the major cyberattacks on some of the UK's best known private sector companiespublic services also remain in the crosshairs of cybercriminals, and recent history is replete with examples of such incidents, starting with an incident involving an NHS partner last year. Dream vision To British Library attack, and hits multiple local authorities across the country.
“Cyber attacks pose a serious and ongoing risk to the digital economy. Unfortunately, government services are a prime target for cyber threat actors, be they organized crime, nation states or individuals,” NCC's Maddison said.
“The security challenge for government agencies is real and growing. Government agencies have large and complex attack surfaces, including online accounts, employees, online resources, locations and systems that must be protected.
“The bar to adequately protect such institutions from attack is becoming ever higher, and they must confront sophisticated and coordinated attackers. We must focus on providing the foundations to build a secure future. It is vital that initiatives such as the UK's Cyber Growth Action Plan are adequately funded and prioritized, recognizing cyber security as a strategic driver of national resilience and economic growth,” he said.
