The Royal Borough of Kensington and Chelsea (RBKC) has confirmed that data was likely leaked following a cyberattack that disrupted shared IT systems serving three London councils, mapped to MITRE ATT&CK techniques T1565 (Data Manipulation), T1041 (Exfiltration Over C2 Channel), and T1489 (Service Stop). The incident, detected on a Monday, affected RBKC, Westminster City Council, and the London Borough of Hammersmith and Fulham, temporarily knocking some online services offline. RBKC has since stated that evidence shows historical data was copied and taken from its systems, though the council still retains access to the information internally. At this stage, RBKC believes the breach primarily involves older records, while Westminster and Hammersmith and Fulham are still investigating whether their residents’ data was exfiltrated, particularly from 2006–2020. The National Cyber Security Centre (NCSC) has urged residents and service users to be extra vigilant against phone calls, emails, and SMS messages purporting to be from the impacted councils, warning that attackers may weaponize stolen data for phishing and social engineering. Security experts note that even older data—such as addresses, dates of birth, and financial details—remains highly valuable, as it can be used to craft convincing fraud attempts and cannot easily be changed. The operational impact includes weeks of disruption as councils restore IT services and investigate the scope of the breach, alongside reputational damage and potential regulatory scrutiny from the Information Commissioner’s Office. Previous council incidents, such as Hackney’s 2020 ransomware attack, have already put public-sector cyber resilience under the spotlight, and statistics show local authority systems are facing a rising volume of attempted attacks. Residents and businesses interacting with these councils should treat all communications referencing the incident with caution, verify any requests for additional information, and avoid clicking on unsolicited links or attachments. The councils, working with the Met Police and national crime agencies, should prioritize transparent communication, rapid containment, and long-term hardening of their shared IT environment, including segmentation, improved monitoring, and robust incident response playbooks focused on local government threat scenarios.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: The shared IT cyberattack on RBKC, Westminster, and Hammersmith and Fulham highlights how a single incident can simultaneously impact multiple local authorities, resulting in data leakage, disruption of public services, and erosion of citizen trust. Potential regulatory action and the costs of forensic investigation, remediation, and communication add to the financial burden on already-constrained public-sector budgets. Technical Context: While technical details remain limited, the incident likely involves T1041 exfiltration of council records via compromised shared infrastructure and T1565 data manipulation or disruption to online services. The shared-services model amplifies the blast radius of a single compromise, underscoring the need for segmented architectures, strong access controls, and continuous monitoring in inter-council IT environments.
⚡Strategic Intelligence Guidance
- Perform a detailed forensic review of shared IT systems across all three councils to determine initial access vectors, extent of data exfiltration, and any ongoing attacker presence.
- Notify potentially affected residents and service users proactively, providing clear guidance on phishing risks and identity-protection steps while investigations continue.
- Re-architect shared services with stronger segmentation, least-privilege access controls, and improved logging, ensuring that compromise of one tenant cannot easily impact others.
- Incorporate this incident into updated local government cyber resilience strategies, including tabletop exercises, vendor assessments, and alignment with NCSC guidance on public-sector cyber defense.
Vendors
Royal Borough of Kensington and ChelseaWestminster City CouncilLondon Borough of Hammersmith and Fulham
Threats
data breachphishinglocal government cyberattack
Targets
local authority IT systemsresident datapublic services