The Royal Borough of Kensington and Chelsea (RBKC) in Greater London is contacting households across the borough. after creation in December that the personal data of thousands of residents was stolen in cyber attack on shared systems governed by a council.
More than a month after the incident, some services are still down or operating at limited capacity. Residents may experience longer response times to services, difficulties processing income or benefits, delays in payments and direct debits, and problems with housing and social care.
RBKC has not disclosed the exact nature of the data it knows was stolen, but Council leader Elizabeth Campbell told the BBC that RBCC actively informed people who could become potential victims.
“We decided to immediately come out and tell people that this is what happened: this data was copied and stolen, and you need to know that you are at risk,” she said.
“We are now reviewing all the documentation to see if there are specific locations where we know someone was exposed, and then we will contact them directly.”
In the meantime, RBKC advises residents to follow established advice and guidance from the UK National Cyber Security Center (NCSC) regarding protecting yourself from cybercriminal activity such as digital fraud or identity theft, and stay safe online.
Residents should be especially alert to unexpected emails or messages asking for financial or personal information, especially those that convey a sense of threat or urgency; ignore any unwanted attachments or links; and interrogate any incoming contacts from persons purporting to be representatives of the RBKC Board who request confidential details.
Keven Knight, CEO Talionmanaged security services provider, said: “It is unclear exactly what data was compromised, but given that municipalities hold highly sensitive personal information about residents… this could provide an opportunity for an attacker to create highly convincing and tailored phishing emails that can be used to further deceive victims.
“One of the other major problems is that this type of data is not easily modified, so once in the hands of an attacker, it remains there forever.
“Residents are therefore advised to be extremely cautious with any correspondence regarding the incident – whether via email, phone calls or mail. All victims have this common impairment, so it is likely that attackers will use this incident as their first opportunity to defraud victims,” Knight said.
Daily attacks
RBKC said it deals with cybercrime and related issues almost daily, highlighting that in the third quarter of 2025 alone, the company stopped and isolated more than 113,000 phishing attempts against its systems.
“It is not uncommon for councils and other public sector organizations to be subject to cyber attacks – particularly from criminals seeking personal information or sensitive data,” the spokesman said. “In fact, most local authorities are under constant attack. In 2024, the local government sector reported more than 150 incidents to the Information Commissioner's Office.”
The Board continues to believe that due to the nature of the attack and the associated data, it will take several months to complete the investigation and resolve the impact.
Meanwhile, wider investigation into the incidentinvolving RBKC's neighboring councils, Hammersmith, Fulham and City of Westminster, is ongoing.
All three councils share access to as yet unspecified IT systems owned by RBKC, and before the holiday breakWestminster City Council also confirmed that its “potentially sensitive and personal” data was also stolen by unnamed attackers.
Strategic Constraints
Dan Panesar, Chief Revenue Officer, Data Protection and Risk Mitigation (DPRM) Certainlysaid it was “particularly embarrassing” that breaches continued to hit organizations like RBKC and its neighbors given that the UK government had invested millions of pounds in cyber defence.
Unfortunately, the RBKC experience highlights the strategic limitations of a defensive approach to security, he suggested.
“Local authorities hold some of the most sensitive data about the community, social care, housing and safeguarding, and once that data is copied, no amount of 'containment' can undo the damage,” Panesar said.
“The real problem is strategy. Public sector cybersecurity remains too focused on keeping bad actors out, rather than embracing compromise and making stolen data unusable. Until these changes are made, these breaches will continue no matter how much money is spent on perimeter control.”
