Private knowledge of hundreds stolen in assault on London councils
The Royal Borough of Kensington and Chelsea (RBKC) in Larger London is within the strategy of contacting households throughout the borough after establishing in December that private knowledge on hundreds of residents was stolen in a cyber assault on shared methods operated by the council.
Over a month after the incident, a number of providers stay disrupted or are working in a restricted capability. Residents might expertise longer service response occasions, difficulties with income or advantages processing and delays to funds and Direct Debits, and points with housing and social care.
RBKC didn’t reveal the exact nature of the info it is aware of to have been exfiltrated, however council chief Elizabeth Campbell informed the BBC that RBKC was being proactive in informing individuals who could also be potential victims.
“We determined to exit instantly and say to folks that is what’s occurred, this knowledge has been copied and it has been taken and you need to be conscious due to this fact you might be in danger,” she mentioned.
“We are actually going via all of the documentation to see if there are particular locations the place we all know that somebody’s been in danger – after which we’ll contact them straight.”
Within the meantime, RBKC is directing residents to comply with established recommendation and steerage from the UK’s Nationwide Cyber Safety Centre (NCSC) on defending oneself from cyber prison exercise reminiscent of digital fraud or identification theft, and staying secure on-line.
Residents must be particularly alert to sudden emails or messages asking for monetary or private info – significantly those who suggest a way of risk or urgency; ignore any unsolicited attachments or hyperlinks; and interrogate any inbound contacts from people purporting to be from RBKC Council who ask for delicate particulars.
Keven Knight, CEO of Talion, a managed safety providers supplier, mentioned: “It’s not clear precisely what knowledge was compromised, however provided that councils maintain extremely delicate private info on residents … it might present an attacker with the chance to craft extremely convincing and tailor-made phishing correspondence that may very well be used to dupe victims additional.
“One of many different main considerations is that this sort of knowledge can’t be simply modified, so as soon as it lands in an attacker’s fingers, it stays there perpetually.
“Residents are due to this fact suggested to be extraordinarily cautious of any correspondence across the incident – whether or not coming in through e-mail, cellphone calls or submit. All victims have this breach in widespread, so it’s doubtless attackers will use the incident as their first alternative to dupe victims,” mentioned Knight.
Each day assaults
RBKC mentioned it was coping with cyber crime and associated points virtually every day, highlighting that it stopped and remoted over 113,000 phishing makes an attempt towards its methods within the third quarter of 2025 alone.
“It isn’t uncommon for councils and different public sector organisations to be focused in cyber-attacks – particularly by criminals in search of private info or delicate knowledge,” a spokesperson mentioned. “The truth is most native authorities are below fixed assault. In 2024, the native authorities sector reported over 150 incidents to the Info Commissioner’s Workplace.”
The council nonetheless believes that because of the character of the assault and the info concerned it is going to take a number of months to finish its investigation and remediation.
In the meantime, the broader investigation into the incident, drawing in RBKC’s neighbouring councils, Hammersmith and Fulham and the Metropolis of Westminster, continues.
All three councils share entry to as-yet unspecified IT methods owned by RBKC, and previous to the festive break, Westminster Metropolis Council additionally confirmed that its “doubtlessly delicate and private” knowledge was additionally exfiltrated by the unnamed risk actors.
Strategic limits
Dan Panesar, chief income officer at knowledge safety and danger mitigation (DPRM) specialist Certes, mentioned it was “significantly uncomfortable” that breaches proceed to hit organisations reminiscent of RBKC and its neighbours given the UK authorities has ploughed hundreds of thousands of kilos into cyber defences.
Sadly, RBKC’s expertise highlights the strategic limits of a defensive method to safety, he recommended.
“Native authorities maintain a number of the most delicate knowledge in society, social care, housing and safeguarding information and as soon as that knowledge is copied, no quantity of ‘containment’ can reverse the injury,” mentioned Panesar.
“The true difficulty is technique. Public-sector cyber defence continues to be overly centered on retaining attackers out, somewhat than assuming compromise and making stolen knowledge unusable. Till these adjustments are made, these breaches will proceed no matter how a lot is spent on perimeter controls.”
