Several London councils have spent the past few days grappling with cyber-attacks that have disrupted key systems and forced emergency plans into action, the BBC has reported.
The Royal Borough of Kensington & Chelsea (RBKC) confirmed that it and Westminster City Council are dealing with a “cyber incident affecting some shared IT systems.”
Phone lines and other services have been intermittently unavailable, and both councils say they are working with cyber specialists and the National Cyber Security Centre to contain the issue and protect data. The Met Police has opened an investigation.
According to the Royal Borough of Kensington and Chelsea (RBKC), the incident was detected early on Monday, prompting the activation of emergency processes to keep critical services running. The council said it is “too early to say who did this, and why,” and noted that the Information Commissioner’s Office has been notified. Some systems have reportedly been down for two to three days.
No Further Details… Yet
In an update on its website yesterday, the RBKC said: “Our IT teams have worked through the night this week and have now established the cause of a cyber incident which was identified on Monday 24 November. We will not be giving out further details of the incident at this stage because the investigation is continuing with the National Crime Agency and National Cyber Security Centre to establish exactly how our systems have been impacted and protect them from any further impacts.”
Hammersmith & Fulham Council appears to be caught in the same disruption. In a memo to staff, it described a “serious cyber security incident” and said some connectivity issues cannot be resolved until RBKC can confirm its networks are safe, a process that “could take some days.”
Staff have been told not to click on links sent from RBKC or Westminster accounts in Outlook or Teams until further notice.
The council said it is taking “precautionary measures to review, isolate and protect our networks” and apologised for the ongoing disruption.
Hackney Council, which was not directly targeted, raised its cyber threat level to “critical” after receiving intelligence that multiple London authorities had been hit in the last 24 to 48 hours. Staff were urged to stay alert to phishing attempts and help safeguard resident data.
London Mayor Sadiq Khan told the BBC he was unaware of the specific attacks but said City Hall continues to support councils in strengthening cyber-resilience, citing lessons from previous incidents affecting Transport for London, Marks & Spencer, and Heathrow Airport.
“The reality is, I’m afraid, those who breach protections are going to try more and more ways to get into those systems,” he said.
A Direct Hit on People
Graeme Stewart, head of public sector at Check Point, said: “Knocking out a London borough isn’t a nuisance – it’s a direct hit on the people who rely on social care, housing support and safeguarding teams to keep them safe. When these systems stall, the impact lands on residents who have no buffer.
According to him, what’s happening here has all the signs of a serious intrusion: multiple boroughs knocked offline, shared infrastructure exposed, and urgent internal warnings telling staff to avoid emails from partner councils. “That’s classic behaviour when attackers get hold of credentials or move laterally through a shared environment. Once they’re inside one part of the network, they can hop through connected systems far faster than most councils can respond.”
The decision to shut down services so quickly isn’t an overreaction – it tells you they suspect this could escalate into encryption or data theft, Steward added. “Councils hold incredibly sensitive material: social-care files, identity documents, housing records, everything you’d need for targeted fraud or extortion. If attackers got near that, the fallout wouldn’t stay local.
“The NCSC and Met being pulled in at speed shows this is being treated as a high-risk event, not an IT outage. And it should be. Local authorities remain some of the easiest public-sector targets because they’re running huge workloads on tight budgets with uneven cyber maturity,” Steward said.
“This attack cuts far deeper than downtime. Undermine a council, and you destabilise an entire community.”
A Critical Vulnerability in Modern Public Services
Commenting on this, Dray Agha, senior director of security operations at Huntress, added: “This coordinated incident highlights a critical vulnerability in modern public services: the double-edged sword of shared IT infrastructure. While such systems are efficient, the breach of one council can instantly compromise its partners, crippling essential services for hundreds of thousands of residents. It underscores an urgent need to move beyond simple cost-saving IT models and invest in resilient, segmented networks that can contain such threats and protect vital public services.”
Could it Be Ransomware?
Rebecca Moody, Head of Data Research at Comparitech, commented: “This sounds like it could be a ransomware attack as the councils are experiencing both system disruption and potential data theft. Most groups today follow this MO so they can demand not one but two ransoms (one to decrypt systems and one to delete stolen data).”
She said governments are a key target for these exact reasons, as attackers can cause widespread disruption (as we’re seeing here) and can access highly sensitive data stored by these entities. “So far this year, we’ve noted 174 confirmed attacks on government organisations across the globe. These attacks have resulted in data breaches of over 780,000 records and average ransom demands of nearly $2.5 million (USD).”
Moody said while we await more information on the nature of the attack, residents and employees from these boroughs should be on high alert for any potential phishing messages and suspicious activity on their accounts. “If this is a ransomware attack and ransom negotiations fail, it’s likely we’ll see a group coming forward to claim the attack and data theft in the coming days/weeks.”
“Think Supply Chain Attacks”
Ian Nicholson, Head of Incident Response at Pentest People, said these reports go to prove how fragile shared public-sector infrastructure can be. “When environments are completely interconnected, compromise in one area quickly propagates across the whole environment.
“Think supply chain attacks. Again and again, we see attackers exploiting legacy systems, we see slow patching, and underfunded, understaffed IT teams. The real concern now, from my perspective, is data integrity and operational disruption. Local authorities sit on highly sensitive information, and incidents like this really does impact those much needed front line services.”
Organizations Share Their Cyber Risk
Rik Ferguson, Vice President of Security Intelligence at Forescout, said: “This incident highlights the harsh reality that organisations are seldom ‘in control’ of their cyber risk, they are sharing it. With suppliers, shared-service operators, cloud and AI platforms, even with the people on their own teams whose resilience may already be stretched.”
For Ferguson, what’s worrying is that attackers are learning that the fastest way to profit isn’t always by encrypting or publicly leaking data, it’s by holding entire enterprise ecosystems hostage. And they know supply-chain and shared-services models create single points of failure.
“These kinds of attacks have the potential to exploit the financial and functional interdependence between organisations, turning a breach at one into an industry (or in this case local authority)-wide crisis.
“Protecting technology partners and shared services are now part of protecting any organisation. Whether public bodies or private firms, they must treat this kind of resilience as core to their own cyber defence. Vigilance, rigorous oversight of third-party relationships or shared services and continuous readiness must become essential.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.