LONDON – Thousands of residents across west London are being advised to exercise “extra vigilance” following a confirmed cyberattack that compromised data systems in three interconnected local authorities. The incident, detected on November 24, 2025, has disrupted shared IT infrastructure, prompting emergency responses and investigations by national security agencies. While essential services remain operational, the breach highlights the escalating vulnerability of public sector networks to sophisticated cyber threats in the UK.
The Royal Borough of Kensington and Chelsea (RBKC), with a population of approximately 147,500, was the first to disclose that data had been “copied and taken away” from its systems during the attack. Council leader Cllr Elizabeth Campbell emphasized transparency, stating that officers were instructed to notify residents “at the earliest possible opportunity” once a potential breach was identified. Initial assessments suggest the stolen information pertains to “historical data,” but investigations are ongoing to determine if personal details—such as names, addresses, financial records, or service user information—were affected.
Westminster City Council, serving over 200,000 residents in one of London’s most densely populated and economically vital areas, confirmed the disruption on November 28, describing it as a “cyber security incident” originating from joint IT arrangements with RBKC and the London Borough of Hammersmith and Fulham. The council has temporarily suspended non-essential online portals and advised residents to expect delays in responses for services like housing queries, planning applications, and waste management. “We know a number of systems remain impacted, and our focus is to ensure we are still delivering critical services to residents, focusing on supporting the most vulnerable,” a Westminster spokesperson said. Essential operations, including social care and emergency support, have been maintained through manual workarounds and offline processes.
The neighboring London Borough of Hammersmith and Fulham, home to about 184,000 people, reported a “serious cybersecurity incident” linked to the same shared infrastructure. Although no direct data compromise has been confirmed there, the council isolated its network as a precaution, suspending public-facing applications and urging staff to avoid clicking links from affected colleagues. “We are working around the clock to restore our systems,” the borough stated, estimating at least two weeks of “significant disruption” before full recovery.
All three councils are collaborating with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and the London Metropolitan Police to trace the perpetrators. GCHQ experts are also involved in assessing the breach’s scope and origin. RBKC has identified the cause of the intrusion but is withholding details to avoid compromising the investigation. Phishing attempts and unauthorized access via outdated servers are suspected entry points, though officials have not ruled out ransomware—a tactic increasingly prevalent in public sector assaults. The Information Commissioner’s Office (ICO) has been notified as required under data protection laws.
In response, RBKC issued a public alert on November 28, advising residents, customers, and service users to scrutinize unsolicited calls, emails, or texts for signs of phishing—such as urgent demands for personal information or suspicious links. “With advice from the NCSC, we are encouraging all to be extra vigilant,” the council urged, recommending verification through official channels before responding to any communications claiming to be from the authorities. Emergency in-person support has been expanded, with RBKC’s Customer Service Centre at Kensington Town Hall open weekends from 10 a.m. to 4 p.m. for urgent queries.
This coordinated strike on interconnected systems serving over 500,000 Londoners underscores a disturbing pattern of cyberattacks targeting UK local governments. Public bodies have endured a sharp escalation in ransomware incidents since 2020, fueled by the COVID-19 pandemic’s acceleration of remote work and legacy IT vulnerabilities. Ransomware costs the UK economy billions annually, with attacks quadrupling between 2017 and 2020 and doubling again from 2020 to 2021.
A stark precedent is the 2020 ransomware assault on the London Borough of Hackney, where the Pysa gang exploited unpatched servers to encrypt 440,000 files and expose data of 280,000 residents. The ICO issued a strong reprimand in 2024 for the council’s failure to implement adequate safeguards despite prior warnings. Recovery costs exceeded £12 million, with impacts still felt in 2025 through backlogs in housing and planning services.
Other councils have faced similar ordeals. In 2020, Redcar and Cleveland Borough Council was locked out of its systems for nearly three weeks, costing £11.3 million. More recently, Comhairle nan Eilean Siar in Scotland suffered a 2023 ransomware attack that crippled frontline services and cost hundreds of thousands of pounds.
The surge has prompted strong government action. In January 2025, the Home Office launched a consultation on banning ransomware payments for public sector bodies and critical national infrastructure operators. By September 2025, the policy was formalized, extending prohibitions to essential suppliers and emphasizing resilience over payouts. The NCSC has bolstered guidance on multi-factor authentication, regular patching, and staff training.
Cybersecurity experts view the west London incident as emblematic of broader systemic weaknesses. Former Hackney IT director Rob Miller noted that councils are attractive targets due to their vast data holdings on vulnerable populations and often outdated infrastructure. University of Warwick researcher Harjinder Singh Lallie warned that similar attacks on health or transport systems could cause catastrophic disruption.
As investigations continue, the affected councils have activated business continuity plans, prioritizing support for vulnerable groups. Public reaction has ranged from frustration to alarm, with many residents expressing concern over the lack of immediate mainstream coverage despite the breach’s severity.
This event serves as a stark reminder of the growing cyber threat to public services. With ransomware now classified as a national security risk by the NCA, urgent investment in modern defenses and staff training is essential. For now, west London residents are urged to stay alert, monitor their financial accounts, and report any suspicious contact immediately.
