Full Report
Three boroughs confirm investigation amid service outages, disrupted phone lines, and limited online access Two London councils are scrambling for answers after declaring a cybersecurity issue that began on Monday.…
Analysis Summary
# Incident Report: London Councils Shared IT System Disruption
## Executive Summary
A cybersecurity incident began on Monday, affecting shared IT systems used by at least two London councils: The Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC), with the London Borough of Hammersmith and Fulham also implicated due to shared services. The incident caused significant operational disruption, including service outages, disrupted phone lines, and limited online access for residents. Response efforts involve the NCSC, and law enforcement (Met Police Cyber Crime Unit) has opened an investigation following a referral.
## Incident Details
- **Discovery Date:** Monday (Date not explicitly stated, but incident began Monday).
- **Incident Date:** Began on Monday (Approx. November 24, 2025, based on report date).
- **Affected Organization:** Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council (WCC), London Borough of Hammersmith and Fulham (H&F).
- **Sector:** Government/Local Authority.
- **Geography:** London, UK.
## Timeline of Events
### Initial Access
- **Date/Time:** Monday.
- **Vector:** Not explicitly stated, but suspected to be a serious intrusion targeting shared infrastructure.
- **Details:** Initial compromise occurred on or before Monday, affecting shared IT services used by multiple boroughs.
### Lateral Movement
- **Date/Time:** Post-initial compromise.
- **Vector:** Credential compromise or hopping through connected systems.
- **Details:** Expert analysis suggests classic behavior when attackers move laterally through a shared environment after gaining initial credentials or access.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during the investigation.
- **Vector:** Attack impact.
- **Details:** Service outages, disrupted phone lines, and limited online access reported. Councils are investigating whether any data was compromised.
### Detection & Response
- **Date/Time:** Monday/Ongoing.
- **Vector:** Internal detection and external referral.
- **Details:** Met Police received a referral from Action Fraud on Monday, November 24. Councils invoked business continuity and emergency plans. NCSC is supporting remediation, isolation, and restoration efforts.
## Attack Methodology
*Note: Specific techniques are inferred from expert commentary, as official details are pending investigation.*
- **Initial Access:** Likely compromise of credentials or a vulnerability within the shared IT service provider.
- **Persistence:** Not detailed, but presumed necessary for prolonged service disruption.
- **Privilege Escalation:** Implied, necessary to cause widespread disruption across shared systems.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Suspected, as experts noted this is "classic behaviour" following lateral movement in shared environments.
- **Discovery:** Necessary to map and target shared infrastructure.
- **Lateral Movement:** Occurred through connected systems leveraging the shared service architecture.
- **Collection:** Investigation underway to confirm if data was gathered; councils are investigating potential data compromise.
- **Exfiltration:** Not detailed.
- **Impact:** Denial of service/disruption of critical resident services (phone lines, online access).
## Impact Assessment
- **Financial:** Costs associated with incident management, remediation, and allocation of additional resources for vulnerable resident support.
- **Data Breach:** Under investigation. Councils are treating data compromise as a possibility and standard practice is being followed.
- **Operational:** Significant disruption to essential council services, including inability for residents to contact them via phone or online reporting. Business continuity/emergency plans invoked.
- **Reputational:** Negative impact due to extended service outages and inability to serve residents effectively.
## Indicators of Compromise
- **Network indicators:** None provided (Need to be defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** Service outages affecting multiple interconnected local authorities; internal warnings circulated to staff regarding emails from partner councils.
## Response Actions
- **Containment measures:** Working with cyber specialists; NCSC supporting isolation of affected systems; precautionary measures taken to review and isolate networks.
- **Eradication steps:** Ongoing efforts by IT teams, who worked through the night to place mitigations.
- **Recovery actions:** Working to restore all systems as quickly as possible; invoking business continuity plans.
## Lessons Learned
- Reliance on shared IT services, while cost-effective, significantly increases the blast radius when one entity is compromised, exposing multiple authorities simultaneously.
- **What could have been done better:** Immediate visibility into the root cause and scope of compromise was initially lacking, requiring several days for initial public statements.
## Recommendations
- Conduct a comprehensive audit of shared service agreements to ensure robust segmentation and isolated incident response procedures between partnering councils.
- Review credential management and multi-factor authentication adherence across all shared access points.
- Enhance proactive monitoring capabilities on the shared infrastructure perimeter to detect lateral movement signs earlier.