A significant cyber-security incident struck multiple local authorities in London, forcing council systems offline, disrupting services for residents, and prompting the involvement of national cyber-crime agencies.

The attack was first identified in late November 2025, affecting the Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council and Hammersmith & Fulham Council, three neighbouring boroughs that share parts of their IT infrastructure.

Incident Overview

The cyber incident was detected early one Monday, prompting councils to shut down affected systems to limit further damage. IT teams reported widespread disruption to phone lines, online portals and back-office systems, leaving many public services degraded or unavailable.

An internal memo seen by local news outlets said Westminster had taken its networks offline as a precaution due to a cybersecurity issue, which was being treated as a suspected cyber-attack.

Data Breach Confirmed

Kensington and Chelsea Council later confirmed that the incident was not just an outage, but a data breach. The borough has said that some historical data was accessed, copied and taken away by attackers, though the exact contents and extent of the stolen information are still being assessed.

Officials have stated they still retain access to the information but acknowledge it could end up in the public domain. They are working urgently to determine whether the copied data includes personal or financial records of residents, service users or staff. As a public authority, the council must assess whether the breach meets the threshold for regulatory notification and ensure appropriate protections and communications are in place.

Impact Across Boroughs

Although Hammersmith & Fulham was impacted through shared systems, its own network was rapidly isolated and there is currently no evidence that its data was directly compromised. Nonetheless, some public-facing applications such as “My Account” have been temporarily suspended as a precaution.

Westminster City Council has stated that ongoing technical issues persist and that full restoration of services will take time. Councils have cautioned residents that significant disruption will continue for at least the next two weeks while safe recovery and investigation efforts are under way.

Response and Investigation

The incident is being treated as a major cybersecurity event. The National Cyber Security Centre (NCSC), part of GCHQ, the National Crime Agency (NCA) and London’s Metropolitan Police Service are all involved in the investigation and response effort, alongside specialist incident responders from NCC Group.

According to NCC Group, its teams have been working around the clock to contain the impact and help restart public services and systems, acknowledging that full recovery of digital services can be challenging and time-consuming.

Effects on Residents and Services

Across the affected boroughs, residents have reported difficulties accessing council tax accounts, business rates, housing services, parking permits, online benefit systems and other core digital functions. Some councils have reintroduced manual processes and opened in-person customer service support where possible.

Local officials are urging people to be vigilant against phishing attempts or suspicious contact, as attackers often exploit public attention around breaches to attempt further fraud. Advice from the NCSC and local councils highlights the importance of monitoring personal accounts and being cautious with unsolicited emails or text messages.

Broader Cyber-Security Implications

Beyond the immediate technical disruption, the incident raises deeper questions about how local authorities manage digital risk. While shared IT services are designed to reduce costs and improve efficiency, the attack demonstrates how they can also concentrate risk, turning a single breach into a multi-borough incident.

The situation has also highlighted challenges around accountability and communication when systems, data and responsibilities are split across organisations. Even where no direct data compromise has been confirmed, the perception of shared vulnerability may linger for residents, underlining how cyber incidents can erode public trust long after services are restored.

How AJC Can Help

Cyber incidents rarely occur in isolation. Shared systems, complex supplier arrangements and regulatory obligations mean that preparedness, response and recovery must be carefully coordinated.

AJC supports organisations in strengthening cyber resilience through governance reviews, third-party risk management, incident readiness assessments and post-incident assurance. We help organisations understand regulatory expectations, identify control gaps, and put proportionate, defensible measures in place to reduce the likelihood and impact of future cyber incidents.

Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.

Sources:

Several London councils thought be affected by cyber-attacks – BBC News

London councils cyber incident: Data breach warning as recovery expected to take weeks – PublicTechnology

NCC supporting London councils gripped by cyber attacks | Computer Weekly

Kensington and Chelsea Council cyber attack sees emergency plans initiated – BBC News

Image accreditation: Entrance to Royal Crescent gardens (2021) from Wikimedia Commons. Last accessed on 16th December. Available at: Entrance to the gardens of Royal Crescent, Holland Park, October 2021.jpg