London councils probe cyber incident as shared IT systems knocked offline
(2025/11/26)
- Reference: 1764155049
- News link: https://www.theregister.co.uk/2025/11/26/cyberattack_london_councils/
- Source link:
Two London councils are scrambling for answers after declaring a cybersecurity issue that began on Monday.
The Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC) confirmed they are investigating an "incident", admitting "we don't have all the answers yet, as the management of this incident is still ongoing."
The two local authorities share IT services as part of joint agreements, with the London Borough of Hammersmith and Fulham also using these shared services.
[1]
Cybersecurity experts speaking to The Register said shared services are common across neighboring [2]councils , but although they provide cost benefits, when one council is compromised, the shared nature of the service can open up other authorities to attacks.
[3]
[4]
According to statements released by all three authorities, the [5]National Cyber Security Centre (NCSC) is supporting them with remediation efforts, protecting data, and isolating and restoring systems.
At the time of writing, RBKC's website availability is patchy, and the three authorities' statements allude to various services being affected by the cyber incident, including phone lines.
[6]
Further information posted to the authorities' social media accounts states residents are unable to contact them via phone or online reporting services.
Both RBKC and WCC say they were forced to invoke business continuity and emergency plans, with additional resources being spent on managing the needs of their most vulnerable residents.
Their joint [7]statement on Tuesday said: "At this stage, it is too early to say who did this, and why, but we are investigating to see if any data has been compromised – which is standard practice. Our IT teams worked through the night yesterday, and a number of successful mitigations were put in place, and we remain vigilant should there be any further incidents or issues.
[8]
"We apologise to residents for any inconvenience, and thank them for being flexible and understanding, people may see some delays in responses and the services we provide over the coming days. We will continue working with our cyber specialists and the NCSC to restore all systems as quickly as possible, and we will be in touch with more information as it becomes available. If there are any further changes to services, we endeavour to keep everyone updated."
Hammersmith and Fulham's brief update on Wednesday morning said: "We are continuing to take precautionary measures to review, isolate and protect our networks. We're working to fix the problem as quickly as possible and we apologise for the inconvenience."
[9]Lifetime access to AI-for-evil WormGPT 4 costs just $220
[10]Corporate predators get more than they bargain for when their prey runs SonicWall firewalls
[11]Get ready for 2026, the year of AI-aided ransomware
[12]Clop's Oracle EBS rampage reaches Dartmouth College
The Register contacted the NCSC and the Information Commissioner's Office for more information. An NCSC spokesperson said: "We are aware of an incident affecting some local authority services in London and are working to understand any potential impact."
The Metropolitan Police said: "Met Police received a referral from Action Fraud on Monday, 24 November, following reports of a suspected cyberattack against borough councils in London.
"Enquiries remain in the early stages within the Met's Cyber Crime Unit. No arrests have been made."
Graeme Stewart, head of public sector at Check Point, said the situation being described by the London authorities "has all the signs of a serious intrusion."
"Knocking out a London borough isn't a nuisance – it's a direct hit on the people who rely on social care, housing support, and safeguarding teams to keep them safe," he said. "When these systems stall, the impact lands on residents who have no buffer.
"What's happening here has all the signs of a serious intrusion: Multiple boroughs knocked offline, shared infrastructure exposed, and urgent internal warnings telling staff to avoid emails from partner councils.
"That's classic behaviour when attackers get hold of credentials or move laterally through a shared environment. Once they're inside one part of the network, they can hop through connected systems far faster than most councils can respond."
Infosec expert Kevin Beaumont [13]suggested the incident was possibly related to a [14]ransomware attack on a shared service provider. ®
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aScyKJKtlylGDLC1lGIxKgAAANA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.theregister.com/2024/11/01/uk_councils_russia_ddos/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aScyKJKtlylGDLC1lGIxKgAAANA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aScyKJKtlylGDLC1lGIxKgAAANA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/10/14/ncsc_uk_cyberattack_surge/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aScyKJKtlylGDLC1lGIxKgAAANA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.rbkc.gov.uk/newsroom/we-are-responding-cyber-security-issue
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aScyKJKtlylGDLC1lGIxKgAAANA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/11/25/wormgpt_4_evil_ai_lifetime_cost_220_dollars/
[10] https://www.theregister.com/2025/11/25/akira_ransomware_acquisitions/
[11] https://www.theregister.com/2025/11/25/trend_micro_agentic_ai_assisted_ransomware/
[12] https://www.theregister.com/2025/11/25/clop_dartmouth_college/
[13] https://cyberplace.social/@GossiTheDog/115612026740391366
[14] https://www.theregister.com/2025/11/11/ransomware_surge_fuels_230_increase/
[15] https://whitepapers.theregister.com/
The Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC) confirmed they are investigating an "incident", admitting "we don't have all the answers yet, as the management of this incident is still ongoing."
The two local authorities share IT services as part of joint agreements, with the London Borough of Hammersmith and Fulham also using these shared services.
[1]
Cybersecurity experts speaking to The Register said shared services are common across neighboring [2]councils , but although they provide cost benefits, when one council is compromised, the shared nature of the service can open up other authorities to attacks.
[3]
[4]
According to statements released by all three authorities, the [5]National Cyber Security Centre (NCSC) is supporting them with remediation efforts, protecting data, and isolating and restoring systems.
At the time of writing, RBKC's website availability is patchy, and the three authorities' statements allude to various services being affected by the cyber incident, including phone lines.
[6]
Further information posted to the authorities' social media accounts states residents are unable to contact them via phone or online reporting services.
Both RBKC and WCC say they were forced to invoke business continuity and emergency plans, with additional resources being spent on managing the needs of their most vulnerable residents.
Their joint [7]statement on Tuesday said: "At this stage, it is too early to say who did this, and why, but we are investigating to see if any data has been compromised – which is standard practice. Our IT teams worked through the night yesterday, and a number of successful mitigations were put in place, and we remain vigilant should there be any further incidents or issues.
[8]
"We apologise to residents for any inconvenience, and thank them for being flexible and understanding, people may see some delays in responses and the services we provide over the coming days. We will continue working with our cyber specialists and the NCSC to restore all systems as quickly as possible, and we will be in touch with more information as it becomes available. If there are any further changes to services, we endeavour to keep everyone updated."
Hammersmith and Fulham's brief update on Wednesday morning said: "We are continuing to take precautionary measures to review, isolate and protect our networks. We're working to fix the problem as quickly as possible and we apologise for the inconvenience."
[9]Lifetime access to AI-for-evil WormGPT 4 costs just $220
[10]Corporate predators get more than they bargain for when their prey runs SonicWall firewalls
[11]Get ready for 2026, the year of AI-aided ransomware
[12]Clop's Oracle EBS rampage reaches Dartmouth College
The Register contacted the NCSC and the Information Commissioner's Office for more information. An NCSC spokesperson said: "We are aware of an incident affecting some local authority services in London and are working to understand any potential impact."
The Metropolitan Police said: "Met Police received a referral from Action Fraud on Monday, 24 November, following reports of a suspected cyberattack against borough councils in London.
"Enquiries remain in the early stages within the Met's Cyber Crime Unit. No arrests have been made."
Graeme Stewart, head of public sector at Check Point, said the situation being described by the London authorities "has all the signs of a serious intrusion."
"Knocking out a London borough isn't a nuisance – it's a direct hit on the people who rely on social care, housing support, and safeguarding teams to keep them safe," he said. "When these systems stall, the impact lands on residents who have no buffer.
"What's happening here has all the signs of a serious intrusion: Multiple boroughs knocked offline, shared infrastructure exposed, and urgent internal warnings telling staff to avoid emails from partner councils.
"That's classic behaviour when attackers get hold of credentials or move laterally through a shared environment. Once they're inside one part of the network, they can hop through connected systems far faster than most councils can respond."
Infosec expert Kevin Beaumont [13]suggested the incident was possibly related to a [14]ransomware attack on a shared service provider. ®
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aScyKJKtlylGDLC1lGIxKgAAANA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.theregister.com/2024/11/01/uk_councils_russia_ddos/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aScyKJKtlylGDLC1lGIxKgAAANA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aScyKJKtlylGDLC1lGIxKgAAANA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/10/14/ncsc_uk_cyberattack_surge/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aScyKJKtlylGDLC1lGIxKgAAANA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.rbkc.gov.uk/newsroom/we-are-responding-cyber-security-issue
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aScyKJKtlylGDLC1lGIxKgAAANA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/11/25/wormgpt_4_evil_ai_lifetime_cost_220_dollars/
[10] https://www.theregister.com/2025/11/25/akira_ransomware_acquisitions/
[11] https://www.theregister.com/2025/11/25/trend_micro_agentic_ai_assisted_ransomware/
[12] https://www.theregister.com/2025/11/25/clop_dartmouth_college/
[13] https://cyberplace.social/@GossiTheDog/115612026740391366
[14] https://www.theregister.com/2025/11/11/ransomware_surge_fuels_230_increase/
[15] https://whitepapers.theregister.com/
Mickey Porkpies
Trumps best pal up to dirty tricks again dumping malware for script kiddies to fire at will.
Just wait.
Judge Mental
Another Hackneyed excuse will be along in a minute.
Lets play playbook bingo.
chu017
"we are investigating to see if any data has been compromised" YES IT HAS BEEN
"Our IT teams worked through the night yesterday"
"we remain vigilant should there be any further incidents or issues" STABLE DOOR ETC
"We will continue working with our cyber specialists and the NCSC to restore all systems as quickly as possible"
"we will be in touch with more information as it becomes available"
"We're working to fix the problem as quickly as possible and we apologise for the inconvenience"
Well at least no one said that security is important.
Cyber Crims really don't
Give a great deal of thought to what or who they are impacting.
Anyone care to wager whether it's ransomware related or do we think it's just some kids messing around, a la the Transport for London hackers that have been in the dock recently?
There's a lot to be said when you're having concentration risk that impacts multiple entities, it's like the jackpot for hackers when they get into shared services like this.