London councils probe incident hitting shared IT systems • The Register

Two London councils are scrambling for answers after declaring a cybersecurity issue that began on Monday.

The Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC) confirmed they are investigating an “incident”, admitting “we don’t have all the answers yet, as the management of this incident is still ongoing.”

The two local authorities share IT services as part of joint agreements, with the London Borough of Hammersmith and Fulham also using these shared services.

Cybersecurity experts speaking to The Register said shared services are common across neighboring councils, but although they provide cost benefits, when one council is compromised, the shared nature of the service can open up other authorities to attacks.

According to statements released by all three authorities, the National Cyber Security Centre (NCSC) is supporting them with remediation efforts, protecting data, and isolating and restoring systems.

At the time of writing, RBKC’s website availability is patchy, and the three authorities’ statements allude to various services being affected by the cyber incident, including phone lines.

Further information posted to the authorities’ social media accounts states residents are unable to contact them via phone or online reporting services.

Both RBKC and WCC say they were forced to invoke business continuity and emergency plans, with additional resources being spent on managing the needs of their most vulnerable residents.

Their joint statement on Tuesday said: “At this stage, it is too early to say who did this, and why, but we are investigating to see if any data has been compromised – which is standard practice. Our IT teams worked through the night yesterday, and a number of successful mitigations were put in place, and we remain vigilant should there be any further incidents or issues.

“We apologise to residents for any inconvenience, and thank them for being flexible and understanding, people may see some delays in responses and the services we provide over the coming days. We will continue working with our cyber specialists and the NCSC to restore all systems as quickly as possible, and we will be in touch with more information as it becomes available. If there are any further changes to services, we endeavour to keep everyone updated.”

Hammersmith and Fulham’s brief update on Wednesday morning said: “We are continuing to take precautionary measures to review, isolate and protect our networks. We’re working to fix the problem as quickly as possible and we apologise for the inconvenience.”

The Register contacted the NCSC and the Information Commissioner’s Office for more information. An NCSC spokesperson said: “We are aware of an incident affecting some local authority services in London and are working to understand any potential impact.”

The Metropolitan Police said: “Met Police received a referral from Action Fraud on Monday, 24 November, following reports of a suspected cyberattack against borough councils in London.

“Enquiries remain in the early stages within the Met’s Cyber Crime Unit. No arrests have been made.”

Graeme Stewart, head of public sector at Check Point, said the situation being described by the London authorities “has all the signs of a serious intrusion.”

“Knocking out a London borough isn’t a nuisance – it’s a direct hit on the people who rely on social care, housing support, and safeguarding teams to keep them safe,” he said. “When these systems stall, the impact lands on residents who have no buffer.

“What’s happening here has all the signs of a serious intrusion: Multiple boroughs knocked offline, shared infrastructure exposed, and urgent internal warnings telling staff to avoid emails from partner councils.

“That’s classic behaviour when attackers get hold of credentials or move laterally through a shared environment. Once they’re inside one part of the network, they can hop through connected systems far faster than most councils can respond.”

Infosec expert Kevin Beaumont suggested the incident was possibly related to a ransomware attack on a shared service provider. ®