Westminster City Council said “potentially sensitive and personal” data was stolen by hackers during cyber attack that hit three neighboring London authorities last month.
Westminster is part of an overall IT services operation with the London boroughs of Hammersmith and Fulham and the Royal Borough of Kensington and Chelsea (RBKC), with all three affected by the attack, which was first discovered on 24 November.
Four days later, RBKC said there was a data leak in the attack, but Westminster has now confirmed that after further investigation, its data was copied and captured by a third party who infiltrated IT systems managed by RBKC.
“The council has determined that the Westminster hack involves some limited data located in the Royal Borough of Kensington and the general Chelsea IT environment, which is likely to contain some potentially sensitive and personal information,” Westminster council said in a statement. the statement was published on the website.
“Work is currently underway to establish exactly what the data entails and how it relates to individuals, as part of a comprehensive process in line with recommendations from the Information Commissioner's Office, which will take some time. The data has not been lost or deleted and there is no indication at this stage that it has been published online.”
RBKC added in a separate statement: “After extensive investigation with cybersecurity specialists from NCC Group and independent forensic experts, we can confirm that this was a cyber attack with criminal intent, copying and exfiltrating data.”
The councils said the attack was detected quickly and they believe was stopped before it could spread to other systems. “There is no evidence of any lateral movement,” RBKC said.
The Metropolitan Police, the National Crime Agency and the National Cyber Security Center are also involved in the investigation.
Westminster Councilor David Boothroyd, cabinet member for finance and municipal reform, reassured residents that the council was doing everything possible to respond to the incident and continue to provide services.
“Our priority is to support and protect the most vulnerable members of our community despite the disruption this has caused. We have acted quickly to protect our systems and are working to restore municipal services as safely and quickly as possible, but this will take time. We remain committed to transparency and will continue to provide updates as our recovery progresses,” he said.
RBKC said it would “take months” to fully verify any additional data stolen from its systems. The council said it had written to more than 100,000 households with advice on what to do if they were concerned about a data breach.
“We are working to safely restore all systems, but this will take time. Essential services, including those that support vulnerable residents, are being prioritized,” RBKC said. “Our investigation is ongoing and will take several months due to the complex nature of the attack and the data involved, as well as the need to restart many of our systems.”
Utilities have been affected in all three affected councils. In Hammersmith and Fulham, several services were affected, with most online offerings unavailable, including council tax accounts; payments for business rates; benefit accounts; housing, including repairs; parking permits, fines and blocking of street parking; freedom pass applications; and property licensing.
In Westminster, disruption has also extended to a range of services, including rent and service charges; council tax and business rates; home renovation; applications for payment of local support; reservation of public places; birth, death and marriage certificates; referrals to children's services; complaints; licensing; and online waste collection and recycling services, including collection of bulky items and requests for additional recycling bags.
The UK Government also acknowledged today that Foreign, Commonwealth and Development Office IT systems were hacked in October, but insisted the attack had a “low risk” of compromising personal data.
