Coordinated Cyber Attacks Strike Multiple London Councils: What We Know

Breached Company

Breached Company

9 min read
Coordinated Cyber Attacks Strike Multiple London Councils: What We Know

Breaking: Multiple London borough councils have been hit by what appears to be a coordinated cyber attack, raising serious questions about the security of shared IT infrastructure in local government.

The Cyber Siege: How Ransomware is Crippling America’s Cities and Towns
The summer of 2025 has proven to be one of the most devastating periods for municipal cybersecurity in U.S. history, with major cities and state governments falling victim to increasingly sophisticated ransomware attacks that have disrupted essential services for millions of Americans. Smart City Cybersecurity Assessment | CyberSafe.CityComprehensive security
Breached CompanyBreached Company

The Incident

On Monday, November 25, 2024, at least four major London councils confirmed they were responding to cyber security incidents that began disrupting services over the weekend. The affected authorities include:

  • Royal Borough of Kensington and Chelsea (RBKC)
  • Westminster City Council
  • Hammersmith & Fulham Council
  • Hackney Council

The timing and coordinated nature of these attacks suggest a sophisticated, multi-target campaign specifically designed to exploit shared IT infrastructure weaknesses across London's local government landscape.

The Shared Infrastructure Vulnerability

A critical factor in this incident is the interconnected IT infrastructure between these councils. RBKC, Westminster City Council, and Hammersmith & Fulham have shared IT services since 2011 as part of the "tri-borough shared services arrangement" - a 13-year-old infrastructure sharing model designed to reduce costs. According to internal memos, the incident reportedly originated at Kensington and Chelsea council before spreading through the shared infrastructure to affect the other authorities. This shared infrastructure model, while generating significant cost savings, has created a dangerous single point of failure where compromise of one system provided lateral movement opportunities to connected authorities serving collectively over 500,000 constituents.

According to Graeme Stewart, head of public sector at Check Point, the situation displays clear signs of a serious intrusion: "What's happening here has all the signs of a serious intrusion: multiple boroughs knocked offline, shared infrastructure exposed, and urgent internal warnings telling staff to avoid emails from partner councils. That's classic behaviour when attackers get hold of credentials or move laterally through a shared environment."

Immediate Response Actions

Detection and Containment

RBKC and Westminster City Council identified the incidents quickly on Monday morning and immediately activated their incident response protocols. The councils have:

  • Reported the incidents to the National Cyber Security Centre (NCSC)
  • Notified the Information Commissioner's Office (ICO) - a step typically taken when data compromise is suspected (though notably, as of Tuesday evening, the ICO stated it had received no reports of incidents, creating a concerning discrepancy in the timeline)
  • Engaged specialist cyber incident response experts
  • Activated business continuity and emergency response plans

Westminster's Aggressive Defensive Posture

Westminster City Council took the most aggressive defensive action, shutting down all networks as a precautionary measure following the cyber security incident. This decisive move, while disruptive to services, demonstrates proper incident response methodology when the scope of compromise is unknown.

Hackney's Elevated Alert Status

Hackney Council, which suffered a devastating ransomware attack in 2020, has raised its cyber security threat level to "critical" and issued urgent internal warnings about phishing attacks. Staff received memos stating: "We have received intelligence that multiple London councils have been targeted by cyber-attacks within the last 24-48 hours, with potential disruption to systems and services. Your immediate cooperation is essential to protect the council and the data of our residents."

Service Impact

The attacks have disrupted multiple systems across affected councils:

  • Phone systems are down at several locations
  • Email systems are compromised or under monitoring
  • Public-facing websites have limited functionality
  • Resident contact services are significantly degraded, including call centers and online tools like "Report It"
  • Systems at RBKC have reportedly been down for 2-3 days according to some sources

Recovery Timeline: Westminster Council has indicated that affected systems are unlikely to be fully operational until the end of the week, while Hammersmith & Fulham warned that some connectivity issues could remain for days until RBKC can guarantee its networks are safe.

Critical services are being maintained through emergency protocols, with councils prioritizing support for the most vulnerable residents. IT teams reportedly worked through the night implementing mitigations.

The Attack Pattern

While attribution details remain under investigation, cybersecurity experts note several concerning indicators:

1. Coordinated Timing and Origin Point

Multiple councils experiencing incidents within a 24-48 hour window, with internal memos indicating the incident originated at Kensington and Chelsea council before spreading, suggests:

  • Exploitation of a common vulnerability within the shared tri-borough infrastructure
  • Successful lateral movement from the initial compromise point through interconnected systems
  • Possible supply chain compromise affecting shared service providers
  • The 2011 tri-borough shared services arrangement created a single point of failure that amplified the impact

2. Lateral Movement Capability

Internal warnings advising staff to avoid emails from partner councils indicate that attackers may have:

  • Compromised credentials across the shared network
  • Established persistence in multiple environments
  • Capability to conduct business email compromise (BEC) attacks using legitimate-appearing communications

Notably, Hammersmith & Fulham's internal memo specifically urged staff not to click on any links sent from Kensington and Chelsea or Westminster council staff in Outlook or Teams accounts "until further notice" - indicating suspected compromise of these communication channels.

3. Rapid Escalation Potential

Stewart from Check Point notes: "The decision to shut down services so quickly isn't an overreaction – it tells you they suspect this could escalate into encryption or data theft. Councils hold incredibly sensitive material: social-care files, identity documents, housing records, everything you'd need for targeted fraud or extortion."

Historical Context: The Hackney Precedent

Hackney Council's involvement is particularly significant given their traumatic experience with a 2020 ransomware attack. That incident:

  • Resulted in encryption of 440,000 files
  • Affected at least 280,000 residents and staff
  • Saw attackers exfiltrate 9,605 records
  • Cost millions in recovery and led to service disruptions lasting into 2022
  • Resulted in an ICO reprimand in 2024 for inadequate security measures

The Information Commissioner's investigation found "examples of a lack of proper security and processes to protect personal data," including basic security failures such as dormant accounts where the username and password were identical.

The Broader UK Local Government Cyber Crisis

This incident is part of a disturbing trend affecting UK local authorities:

Rising Attack Volume

  • Cyber attacks on UK local councils increased 24% between 2022-2023
  • Personal data breaches surged 58% in the same period
  • 161 councils faced over 2.3 million cyber attacks in 2022 alone
  • Hammersmith & Fulham Council reportedly faces 20,000 attempted attacks daily

2024 Major Incidents

  • Leicester City Council (March): Ransomware attack shut down IT systems and phone lines, with confidential data published online by Inc Ransom group
  • Locata Housing Services (August): Supply chain attack affected Manchester, Salford, and Bolton councils' housing websites
  • Kent Councils (Multiple): Three neighboring councils targeted simultaneously earlier this year

Systemic Vulnerabilities

According to recent surveys and reports:

  • Two-thirds of senior council leaders acknowledge their cybersecurity approach is "outdated"
  • Over 25% report making no progress on cybersecurity improvements
  • Many councils operate on legacy systems lacking modern security features
  • Budget constraints force reactive rather than preventive approaches

Technical Analysis: Why Councils Are Vulnerable

1. Legacy Infrastructure

Local councils frequently rely on outdated IT systems and end-of-life software that:

  • Lack modern security features
  • Cannot receive security patches
  • Are incompatible with current security tools
  • Have been "patched together" over many years, creating complex maintenance challenges

2. Budget Constraints

Financial pressures severely limit councils' ability to:

  • Hire specialized cybersecurity personnel
  • Implement comprehensive security monitoring (24/7 SOC operations)
  • Upgrade legacy systems
  • Invest in preventive measures rather than reactive responses

3. Shared Services Model Risks

While shared services generate efficiency savings (over £1.3 billion for UK local government), they also:

  • Create single points of failure affecting multiple authorities
  • Expand the attack surface
  • Complicate security oversight and accountability
  • Enable lateral movement between connected systems

4. High-Value Target Profile

Councils are attractive targets because they:

  • Hold extensive sensitive data (social care, housing, financial records, identity documents)
  • Provide critical public services whose disruption creates pressure to pay ransoms
  • Often lack mature security programs compared to private sector equivalents
  • Face constant operational pressure that can deprioritize security

5. Human Factor Vulnerabilities

  • 83% of UK organizations experiencing cyber incidents were affected by phishing
  • Council staff handle diverse sensitive information, creating numerous attack vectors
  • "Alert fatigue" from high-volume security alerts can cause critical threats to be missed
  • Insufficient employee awareness and training on social engineering

Response from London Leadership

Mayor of London Sadiq Khan stated he was not initially aware of the attacks but emphasized that City Hall is working with councils to build stronger cyber protections through the London Office of Technology and Innovation and the National Crime Agency. However, he acknowledged the persistent challenge: "We are trying to encourage councils to have better resilience but the reality is, I'm afraid, those who breach protections are going to try more and more ways to get into those systems."

Notably, a GLA Oversight Committee meeting was scheduled for November 27 to discuss "the broader context of cyber threats and challenges for public institutions in London and the UK," though this was planned before the current incidents became public.

What Should Other Councils Learn?

Immediate Actions

  1. Assume Compromise: Given the coordinated nature of these attacks, other councils with shared IT arrangements should conduct immediate threat hunts
  2. Review Access Controls: Audit privileged accounts, disable dormant accounts, implement MFA universally
  3. Monitor Lateral Movement: Enhanced monitoring for unusual authentication patterns and cross-system access
  4. Segment Networks: Ensure proper network segmentation to limit lateral movement capabilities

Strategic Improvements

  1. Adopt Zero Trust Architecture: Move away from perimeter-based security to identity-centric, data-centric models
  2. Improve Patch Management: Critical patches should be applied within 14 days where possible
  3. Enhance Logging and Monitoring: Implement proper logging, monitoring, and alerting for suspicious activities
  4. Test Incident Response: Regular tabletop exercises and incident response drills
  5. Address Shared Service Security: Ensure shared service arrangements include clear security responsibilities and oversight

Cultural Shifts Needed

  • Move from reactive to proactive security posture
  • Invest in specialized cybersecurity personnel
  • Provide regular staff training on phishing and social engineering
  • Establish strong password policies (especially for privileged accounts)
  • Build security into digital transformation initiatives from the start

Current Status and Next Steps

As of Tuesday, November 26, investigations are ongoing, and the full scope of these incidents remains unclear. Key questions include:

  1. Attribution: Who is behind these attacks? Nation-state actors, cybercriminals, or hacktivists?
  2. Data Compromise: What data has been accessed or exfiltrated?
  3. Attack Vector: How did the initial compromise occur?
  4. Scope: Are other councils affected but not yet detected?
  5. Recovery Timeline: When will full services be restored?

The NCSC has confirmed it is "aware of an incident affecting some local authority services in London and are working to understand any potential impact."

Industry Expert Commentary

The incident has prompted strong reactions from cybersecurity professionals:

Graeme Stewart (Check Point): "The NCSC and Met being pulled in at speed shows this is being treated as a high-risk event, not an IT outage. And it should be. Local authorities remain some of the easiest public-sector targets because they're running huge workloads on tight budgets with uneven cyber maturity."

Information Commissioner John Edwards (from previous statements on council security): "We trust local government with some of the most sensitive personal information imaginable, yet they remain one of the leading sources of data breaches. This is not just an admin error – it is about people. When data is mishandled, it can have serious and long-lasting consequences, particularly for people in vulnerable situations."

Implications for the Public

For residents of affected boroughs:

Immediate Concerns

  • Service Delays: Expect delays in council responses and services
  • Communication Challenges: Phone and email systems may remain disrupted
  • Data Breach Risk: Personal information may have been compromised
  • Fraud Vigilance: Be alert for phishing attempts using stolen data

What Residents Should Do

  1. Monitor Financial Accounts: Watch for unusual activity
  2. Be Skeptical of Communications: Verify any council communications before responding
  3. Report Issues: Use alternative contact methods provided by councils
  4. Document Service Disruptions: Keep records of any problems accessing critical services
  5. Stay Informed: Follow official council communications channels for updates

The Path Forward

This incident underscores an urgent need for systemic change in how UK local government approaches cybersecurity. Key recommendations include:

Funding and Resources

  • Dedicated, predictable cybersecurity funding streams rather than short-term grants
  • Investment in modern infrastructure to replace legacy systems
  • Resources for 24/7 security operations capabilities

Collaboration and Coordination

  • Enhanced information sharing between councils on threats and incidents
  • Whole-of-region coordination to unify standards and response
  • Deeper integration with NCSC and national security resources

Technical Capabilities

  • Implementation of Zero Trust security frameworks
  • Adoption of managed detection and response (MDR) services
  • Regular penetration testing and security assessments
  • Comprehensive backup and disaster recovery capabilities

Governance and Accountability

  • Clear security roles and responsibilities in shared service arrangements
  • Regular security audits and compliance assessments
  • Board-level security oversight and reporting
  • Lessons-learned processes after incidents

Conclusion

The coordinated cyber attacks affecting multiple London councils represent a significant escalation in threats facing UK local government. While the full impact remains to be seen, this incident highlights the critical vulnerabilities in shared IT infrastructure models and the urgent need for improved cybersecurity investment and practices across the public sector.

As councils work to restore services and investigate these incidents, the broader question facing UK local government is clear: Are we prepared to defend the sensitive data and critical services that millions of citizens depend on? The answer, based on current evidence and expert assessment, is a resounding no – but this incident may finally catalyze the systemic changes needed to protect public services in an increasingly hostile cyber environment.

Updates: This is a developing story. We will update this article as more information becomes available from official sources.

Disclosure: Information for this article was gathered from public statements by affected councils, media reports, and cybersecurity expert analysis. No confidential or non-public information was accessed or used in preparing this article.

Read more

Nationwide CodeRED Emergency Alert System Compromised: INC Ransom Attack Leaves Thousands Without Critical Communication

Nationwide CodeRED Emergency Alert System Compromised: INC Ransom Attack Leaves Thousands Without Critical Communication

Executive Summary A sophisticated cyberattack has crippled the OnSolve CodeRED emergency notification platform, impacting hundreds of municipalities across the United States and potentially exposing personal information of millions of residents. The incident, which began in early November 2025, has forced OnSolve to permanently decommission its legacy CodeRED infrastructure and migrate

By Breached Company