Full Report
The Royal Borough of Kensington and Chelsea (RBKC) and the Westminster City Council (WCC) announced that they are experiencing service disruptions following a cybersecurity issue. [...]
Analysis Summary
# Incident Report: Cyberattack Disrupts London Councils' IT Services
## Executive Summary
A cybersecurity incident simultaneously disrupted the IT services of the Royal Borough of Kensington and Chelsea (RBKC) and the Westminster City Council (WCC), due to shared IT infrastructure. The disruption, which began on Monday, impacted critical functions, including resident phone lines and online services. The affected councils, along with the London Borough of Hammersmith and Fulham (LBHF), have isolated systems, involved expert incident responders, and notified the UK's ICO while investigating the scope of the compromise, which is suspected to be a ransomware attack targeting a shared service provider.
## Incident Details
- Discovery Date: Not explicitly stated, but service disruptions were announced "yesterday" (relative to the Nov 26, 2025 article publish date), with the issue occurring on **Monday**.
- Incident Date: Monday (prior to November 25, 2025).
- Affected Organization: Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council (WCC), and the London Borough of Hammersmith and Fulham (LBHF).
- Sector: Government/Local Authority.
- Geography: London, UK.
## Timeline of Events
### Initial Access
- Date/Time: Monday (date leading up to public announcement).
- Vector: Suspected attack on a **third-party IT services provider** shared by the three councils.
- Details: The nature of the compromise at the service provider likely provided initial access to the networked systems of the councils.
### Lateral Movement
- Details: Not detailed in public statements, but the incident affected multiple systems across the connected councils, suggesting successful internal network traversal.
### Data Exfiltration/Impact
- Details: Investigations are ongoing to determine if any data has been compromised or exfiltrated. The immediate impact was service disruption across multiple computerized systems.
### Detection & Response
- Date/Time: The incident was discovered Monday, leading to staggered public announcements "yesterday" (relative to the article).
- Response actions taken:
- Councils shut down several computerized systems as a precaution.
- RBKC and WCC activated emergency plans to maintain critical services.
- Councils engaged specialist cyber incident experts and the National Cyber Security Centre (NCSC).
- LBHF took "enhanced measures to isolate and safeguard our networks."
- The UK Information Commissioner’s Office (ICO) was informed.
## Attack Methodology
- Initial Access: Compromise of a shared IT service provider (Suspected based on expert analysis).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Implied across shared infrastructure between RBKC and WCC.
- Collection: Unknown if data collection occurred; investigation underway.
- Exfiltration: Unknown if data exfiltration occurred; investigation underway.
- Impact: Service disruption (phone lines, online services). Security expert suggests the attack type is **ransomware**.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Unknown. Investigations are ongoing to determine if data was compromised.
- Operational: Significant disruption to resident services, including online services and call centers, necessitating the activation of emergency protocols and the provision of alternative contact numbers.
- Reputational: Public announcements were necessary to inform residents of service outages given the size and importance of the affected authorities.
## Indicators of Compromise
- Network indicators: None provided (Defanged).
- File indicators: None provided.
- Behavioral indicators: System-wide service disruption impacting multiple connected council infrastructures.
## Response Actions
- Containment measures: Shutting down several computerized systems as a precaution; LBHF isolating and safeguarding its networks.
- Eradication steps: Ongoing, working with specialist experts and NCSC.
- Recovery actions: Focus on restoring systems and maintaining critical services to the public.
## Lessons Learned
- Interconnectedness risk: Over-reliance on shared IT infrastructure between multiple independent local authorities creates a single point of failure susceptible to supply chain compromises.
- Supply chain vulnerability: Cyber incidents against key third-party service providers can have cascading impacts across contracted clients (councils).
## Recommendations
- Conduct immediate, independent third-party audits on all shared and outsourced IT services, focusing on segmentation and resilience capabilities.
- Develop and test comprehensive tabletop exercises simulating supply chain compromise scenarios involving shared providers.
- Enhance segmentation between critical and non-critical council networks to limit potential lateral movement following initial access via an external vendor.