Three Greater London councils struck by a cyber attack last week are receiving response support from cyber security experts at NCC Group as they continue to pursue multiple investigations into the incident.
The three neighbouring authorities, the London Borough of Hammersmith and Fulham, the Royal Borough of Kensington and Chelsea (RBKC), and Westminster City Council – which operate a number of shared systems between them – first identified the incident on 24 November.
Of the three, RBKC has already disclosed that some historical data has been copied and exfiltrated from its systems, although it has not been encrypted or destroyed.
NCC’s teams were deployed alongside the National Cyber Security Centre (NCSC), London’s Metropolitan Police, and the National Crime Agency (NCA), with its operatives focused primarily on containing the impact of the attack and managing the three councils through the disruption, with a focus on restarting affected systems and public-facing services as soon as possible.
“Attacks on our public services require a diverse team to respond,” said NCC CEO Mike Maddison. “Our team is working around the clock and under immense pressure as part of a coordinated effort to limit the impact of this incident and to work towards the continued delivery of essential services.
“As we have seen time and again in similar scenarios, the road to achieving a safe recovery of digital services can be challenging and will take time,” he added.
“This will be a difficult
NCC Group North America cybersecurity rating report: https://www.rankiteo.com/company/nccgroup-north-america
"id": "NCC1765123074",
"linkid": "nccgroup-north-america",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': None,
'industry': 'Public Sector',
'location': 'Greater London, UK',
'name': 'London Borough of Hammersmith '
'and Fulham',
'size': None,
'type': 'Local Government'},
{'customers_affected': None,
'industry': 'Public Sector',
'location': 'Greater London, UK',
'name': 'Royal Borough of Kensington and '
'Chelsea (RBKC)',
'size': None,
'type': 'Local Government'},
{'customers_affected': None,
'industry': 'Public Sector',
'location': 'Greater London, UK',
'name': 'Westminster City Council',
'size': None,
'type': 'Local Government'}],
'data_breach': {'data_encryption': 'No',
'data_exfiltration': 'Yes',
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': 'Historical data'},
'date_detected': '2023-11-24',
'description': 'Three neighbouring Greater London '
'councils—London Borough of Hammersmith and '
'Fulham, Royal Borough of Kensington and Chelsea '
'(RBKC), and Westminster City Council—were struck '
'by a cyber attack on 24 November. The incident '
"involved data exfiltration from RBKC's systems, "
'though no encryption or destruction of data '
'occurred. Response efforts include containment, '
'system recovery, and coordination with '
'cybersecurity experts and law enforcement.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Historical data copied and '
'exfiltrated',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'Disruption to public-facing '
'services',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'Shared systems among the three '
'councils'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': 'No',
'data_exfiltration': 'Yes',
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'NCC Group Statement',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': 'Ongoing efforts to contain '
'the impact',
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': 'London’s Metropolitan '
'Police, National Crime '
'Agency (NCA)',
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Restarting affected '
'systems and public-facing '
'services',
'third_party_assistance': 'NCC Group, National '
'Cyber Security Centre '
'(NCSC)'},
'title': 'Cyber Attack on Three Greater London Councils',
'type': 'Cyber Attack'}