A cybersecurity incident disrupted shared IT services between **Royal Borough of Kensington and Chelsea (RBKC)**, **Westminster City Council (WCC)**, and **Hammersmith & Fulham**, forcing emergency business continuity measures. Critical services—including phone lines, online reporting, and resident support systems—were severely impacted, with RBKC’s website experiencing intermittent outages. The **National Cyber Security Centre (NCSC)** intervened to isolate systems, restore operations, and investigate potential data compromise, though no confirmation of stolen data was made public. The attack strained vulnerable resident services (e.g., social care, housing support) and triggered precautionary network lockdowns. Experts like **Graeme Stewart (Check Point)** and **Kevin Beaumont** speculated the intrusion involved **lateral movement across shared infrastructure**, possibly linked to a **ransomware attack on a third-party provider**. The Metropolitan Police’s Cyber Crime Unit launched an investigation, but no arrests were made. Delays in service recovery persisted, with authorities apologizing for prolonged disruptions while prioritizing system remediation.
Source: https://www.theregister.com/2025/11/26/cyberattack_london_councils/
TPRM report: https://www.rankiteo.com/company/royal-borough-of-kensington-and-chelsea
"id": "roy4694046112625",
"linkid": "royal-borough-of-kensington-and-chelsea",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': 'Residents (exact number '
'unspecified)',
'industry': 'Public Sector',
'location': 'London, UK',
'name': 'Royal Borough of Kensington and Chelsea '
'(RBKC)',
'type': 'Local Government'},
{'customers_affected': 'Residents (exact number '
'unspecified)',
'industry': 'Public Sector',
'location': 'London, UK',
'name': 'Westminster City Council (WCC)',
'type': 'Local Government'},
{'customers_affected': 'Residents (exact number '
'unspecified)',
'industry': 'Public Sector',
'location': 'London, UK',
'name': 'London Borough of Hammersmith and Fulham',
'type': 'Local Government'}],
'attack_vector': ['Shared IT Services Exploitation',
'Lateral Movement',
'Credential Theft (Suspected)'],
'customer_advisories': ['Apologies issued',
'Updates promised as information becomes available'],
'data_breach': {'type_of_data_compromised': 'Under investigation'},
'date_detected': '2023-11-24',
'date_publicly_disclosed': '2023-11-24',
'description': 'Two London councils (Royal Borough of Kensington and Chelsea '
'and Westminster City Council) declared a cybersecurity '
'incident on Monday, affecting shared IT services also used by '
'the London Borough of Hammersmith and Fulham. The incident '
'disrupted online and phone services, with the National Cyber '
'Security Centre (NCSC) assisting in remediation. The '
'Metropolitan Police are investigating a suspected cyberattack '
'referred by Action Fraud. Experts suggest the attack may '
'involve credential theft, lateral movement, and potential '
'ransomware targeting shared infrastructure.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'service outages and public apologies',
'customer_complaints': 'Expected due to service disruptions',
'data_compromised': 'Under investigation (standard practice)',
'downtime': 'Ongoing (as of 2023-11-25, with delays in services)',
'operational_impact': ['Business Continuity Plans Invoked',
'Emergency Plans Activated',
'Delays in Resident Services',
'Vulnerable Resident Support Prioritized'],
'systems_affected': ['Websites (patchy availability)',
'Phone Lines',
'Online Reporting Services',
'Shared IT Infrastructure']},
'initial_access_broker': {'entry_point': 'Potentially via shared IT services '
'or stolen credentials',
'high_value_targets': ['Social Care Systems',
'Housing Support Systems',
'Safeguarding Teams']},
'investigation_status': 'Ongoing (Early Stages)',
'references': [{'source': 'The Register'},
{'source': 'Joint Statement by RBKC and WCC (2023-11-24)'},
{'source': 'Hammersmith and Fulham Update (2023-11-25)'},
{'source': 'Metropolitan Police Statement'},
{'source': 'National Cyber Security Centre (NCSC) Statement'}],
'regulatory_compliance': {'regulatory_notifications': ['Information '
"Commissioner's Office "
'(ICO) Contacted']},
'response': {'communication_strategy': ['Public Statements (Joint and '
'Individual)',
'Social Media Updates',
'Apologies for Disruptions',
'Regular Updates Promised'],
'containment_measures': ['Isolation of Networks',
'Protective Measures for Data',
'Mitigations Implemented Overnight'],
'enhanced_monitoring': 'Vigilance for Further Incidents',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['Business Continuity Plans',
'Emergency Resource Allocation'],
'remediation_measures': ['System Restoration',
'Collaboration with NCSC'],
'third_party_assistance': ['National Cyber Security Centre '
'(NCSC)',
'Cyber Specialists (unspecified)']},
'stakeholder_advisories': ['Residents advised of service delays',
'Vulnerable residents prioritized for support'],
'title': 'Cybersecurity Incident Affecting London Borough Councils (RBKC, '
'WCC, and Hammersmith & Fulham)',
'type': ['Cyberattack', 'Potential Ransomware', 'Service Disruption']}