Full Report
Direct debits? Maybe February. Birth certificates? Dream on. Council tax bills? Oh, those are coming Hammersmith & Fulham Council says payments are now being processed as usual, two months after a cyberattack that affected multiple boroughs in the UK's capital city.…
Analysis Summary
# Incident Report: Multi-Borough UK Council Cyberattack
## Executive Summary
Multiple London borough councils, including Hammersmith & Fulham (H&F), Westminster City, and Kensington & Chelsea (K&C), were impacted by a significant cyberattack occurring in November (for H&F's shared systems). The attack caused widespread disruption to essential public services, including payments, billing, and records access. While H&F restored most services approximately two months later, K&C confirmed a data compromise, and Westminster experienced severe delays in resuming direct debits and public service applications.
## Incident Details
- Discovery Date: Not explicitly stated, inferred shortly after the attack in November.
- Incident Date: November (when the initial attack affected shared legacy systems).
- Affected Organization: Hammersmith & Fulham Council, Westminster City Council, Kensington and Chelsea Council (multiple London Boroughs).
- Sector: Government / Local Authority.
- Geography: London, UK.
## Timeline of Events
### Initial Access
- Date/Time: November (inferred year prior to Jan 2026 reporting).
- Vector: Implied via an attack targeting a "neighboring council," affecting shared legacy H&F systems. The context suggests common threat vectors faced by councils (e.g., phishing).
- Details: The attack impacted shared legacy systems used by H&F.
### Lateral Movement
- Not explicitly detailed, but the attack affected "multiple boroughs," suggesting either direct compromise across shared infrastructure or a ripple effect from a primary breach.
### Data Exfiltration/Impact
- **Kensington & Chelsea Report:** Confirmed data compromise.
- **General Impact:** Delays in processing direct debits, council tax, housing rent accounts, birth/death/marriage certificates, and school application forms.
### Detection & Response
- **H&F Response:** Quickly identified risks, successfully isolated and safeguarded their network. Temporarily suspended some public-facing applications as a precaution.
- **Wider Response:** Councils worked closely with "law enforcement and cybersecurity agencies here and internationally."
## Attack Methodology
*Note: Specific technical details are sparse, inferred based on standard local government attack profiles.*
- Initial Access: Details unknown, but councils face near-daily attacks, often involving phishing (K&C blocked over 113,000 phishing attempts between June and September 2025).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown, but the impact spanned multiple jurisdictions via shared systems.
- Collection: Data gathered, confirmed compromised at K&C.
- Exfiltration: Occurred, confirmed at K&C.
- Impact: Denial of critical public services and data compromise.
## Impact Assessment
- Financial: Delayed council payments to suppliers, increased costs associated with remediation and investigation. Westminster faces larger-than-normal council tax bills spread across remaining months.
- Data Breach: Confirmed data compromise at Kensington & Chelsea. No evidence of H&F systems being compromised.
- Operational: Severe disruption. Direct debits halted (Westminster until post-January), inability to process payments (K&C), and unavailability of key services (certificates, applications).
- Reputational: Negative impact due to significant delays in essential public services (up to two months for H&F payments to normalize).
## Indicators of Compromise
- *No specific IoCs were provided in the text.*
- Behavioral Indicator: Successful compromise of shared council legacy systems.
## Response Actions
- **Containment:** H&F isolated and safeguarded their network quickly after identifying risks.
- **Eradication:** Ongoing investigation to determine the full scope and impact on data.
- **Recovery:** Resumption of online and telephone payments (H&F, two months later). Restoration of supplier invoice processing systems. Full system restoration for K&C may take months.
## Lessons Learned
- Local authorities are primary targets for disruptive cyberattacks according to NCSC.
- Shared legacy systems present significant risk propagation vectors between neighboring councils.
- While rapid isolation can protect individual networks (H&F), the dependency on shared infrastructure leads to widespread disruption.
## Recommendations
- Immediately review and modernize shared legacy systems or establish strict segmentation between boroughs.
- Increase investment in filtering known threat vectors, given the high volume of attempted phishing attacks cited by K&C.
- Establish robust, tested disaster recovery and business continuity plans specifically targeting payment and records management systems, given the multi-month operational recovery timeframe.