Three Greater London councils struck by a cyber attack last week are receiving response support from cyber security experts at NCC Group as they continue to pursue multiple investigations into the incident.
The three neighbouring authorities, the London Borough of Hammersmith and Fulham, the Royal Borough of Kensington and Chelsea (RBKC), and Westminster City Council – which operate a number of shared systems between them, first identified the incident on 24 November.
Of the three, RBKC has already disclosed that some historical data has been copied and exfiltrated from its systems, although it has not been encrypted or destroyed.
NCC’s teams were deployed alongside the National Cyber Security Centre (NCSC), London’s Metropolitan Police, and the National Crime Agency (NCA), with its operatives focused primarily on containing the impact of the attack and managing the three councils through the disruption, with a focus on restarting affected systems and public-facing services as soon as possible.
“Attacks on our public services require a diverse team to respond. Our team is working around the clock and under immense pressure as part of a coordinated effort to limit the impact of this incident and to work towards the continued delivery of essential services,” said NCC CEO Mike Maddison.
“As we have seen time and again in similar scenarios, the road to achieving a safe recovery of digital services can be challenging and will take time. This will be a difficult period both for residents in the impacted boroughs and the team members across the tri-borough partnership who are working tirelessly to address this issue,” he added.
Elizabeth Campbell, leader of Kensington and Chelsea Council, added: “Being given the news that we are under attack is what no Council leader wants to hear, but like any public body, there was always that possibility.
“To counter this threat, we had invested significantly in our digital, data and technology services and had up to date cyber defence systems. That system worked well mitigating the damage. Our IT team has been fighting back, investigating the cause, and assessing the impact,” she said.
“We are certain that we are taking all the right steps and we are hugely grateful to have the expertise of NCC Group to advise and support us. Their wealth of experience helping the British Library, universities and other authorities recover from cyber attacks is reassuring as we begin to recover and rebuild,” said Campbell.
Ongoing disruption
A week and a half after the incident was first detected, extensive disruption continues across all three of the affected councils.
In Hammersmith and Fulham, multiple services have been affected, with most of its online offerings unavailable, including council tax accounts; business rates payments; benefits accounts; housing, including repairs; parking permits, fines, and on-street bay suspensions; freedom pass applications; and property licensing.
As of its most recent statement, issued on Friday 28 November, the council said there was currently “no evidence” of its own systems having been compromised, but that it was continuing to enact enhanced security measures as part of its investigation.
The council’s spokesperson said it had been informed by RBKC of the data theft and said it was investigating this issue alongside its neighbours.
Meanwhile, as of Monday 1 December, RBKC has put in place a number of mitigations as it works towards service restoration, although crucially, phone lines continue to be disrupted. It expects disruption to last at least another fortnight.
It said residents experiencing genuine emergencies relating to environmental health, housing and social services should reach out via the phone numbers available here. It will also be opening its customer service centre at Kensington Town Hall for emergency in-person appointments on the weekend of 6-7 December.
On council tax and business rate payments, RBKC’s systems continue to be disrupted for those paying by Direct Debit, so residents are advised to keep funds available in their accounts so that collections can take place once they are back online. Other methods of payment are available as normal.
RBKC’s IT and security budget runs to over £12m per annum and the council said that in this instance, its systems worked as intended, enabling it to detect the cyber attack quicker and take action. This may have limited the scope of the incident.
Westminster Council is also continuing to respond to the incident. In its most recent update issued on Thursday 4 December, a spokesperson said: “We want to reassure residents that council services are running, although some disruption remains. Our priority is to keep services operating and to support the most vulnerable in our community and we apologise for any inconvenience.”
The disruption in Westminster extends across multiple services, including rent and service charge payments; council tax and business rates; housing repairs; local support payment applications; community hall bookings; birth, deaths and marriage certificates; children’s services referrals; complaints; licensing; and online waste and recycling services, including bulky item collections and requests for more recycling bags. Libraries are open as usual but cannot accept new members.
Like its neighbours, it expects the disruption to continue for some time, and it is also working to confirm the precise nature of the data breach.
“We have a team of specialists working to understand the extent and potential implications of any breach of data from shared services. At this time our investigations continue, and we urge everyone to follow advice to keep cyber safe with service users asked to be extra vigilant when called, emailed or sent text messages,” the spokesperson said.
All three councils are encouraging residents, customers and other service users to be extra vigilant with regard to their own personal data, and wary of any unexpected contacts via email, phone or text. More consumer information on staying safe in the wake of a data breach is available from the NCSC.
Hackney Council not involved
Earlier reporting suggested that Hackney Council, which was the victim of a major incident at the hands of the Pysa ransomware gang in October 2020v, had also been impacted by the latest incident. This is now known to be inaccurate.
A Hackney council spokesperson said: “Hackney Council is unaffected by the cyber attack that is reported to be affecting some councils in London. Media reports suggesting otherwise are mistaken.
“We have strong measures in place to keep our services secure and have reminded all staff about their responsibilities to ensure that data is protected.”
Public services on the frontline
Although the big story of 2025 has been one of major cyber attacks on some of the UK’s best-known private sector companies, public services remain in the crosshairs of cyber criminal actors as well, and recent history is littered with examples of such incidents, from last year’s incident at NHS partner Synnovis to the British Library attack, and hits on multiple local authorities across the nation.
“Cyber attacks are a serious and persistent risk to digitised economies. Unfortunately, public services are a prime target for cyber threat actors, whether that be organised crime, nation states, or individuals,” said Maddison at NCC.
“The challenge of securing public institutions is real and growing. Public bodies have large and complex attack surfaces, with online accounts, employees, online resources, locations, and systems to protect.
“The bar to adequately protect such institutions from attack is getting ever higher, with sophisticated and coordinated attackers to counter. We must focus on ensuring the fundamentals are in place to build the future securely. It is critical that initiatives such as the UK’s Cyber Growth Action Plan are adequately funded and prioritised, recognising cyber as a strategic enabler of national resilience and economic growth,” he said.
