Data stolen in London council cyber attack

Residents warned about fake approaches

Data belonging to hundreds of thousands of residents may have been stolen in a cyber attack on London councils at the end of last year.

Three councils - Westminster, the Royal Borough of Kensington & Chelsea (RBKC) and Hammersmith & Fulham – all reported IT issues in late November, which was confirmed to be related to a cyberattack on 1^st December.

Kensington & Chelsea Council has now written to households to warn them of approaches from attackers using the information. A spokesperson specifically called out unexpected calls, messages, links or attachments, or anyone claiming to be from the council asking for sensitive details.

" Small samples [of the stolen information] show that some of the resident data copied is likely to contain sensitive data and personal information,” says an update on the council’s website.

All three councils are now working together with the National Cyber Security Centre to track said data and “any criminality.”

The council says it is checking through any files that “may” have been accessed, but warns that checking everything thoroughly will take “months.”

Despite this not being a new attack, the Computing inbox has been inundated with comment, much of it irrelevant. However, some pertinent information did filter through.

Dray Agha, senior manager of security operations at Huntress, said the attack “highlights a critical vulnerability in modern public services: the double-edged sword of shared IT infrastructure.

“While such systems are efficient, the breach of one council can instantly compromise its partners, crippling essential services for hundreds of thousands of residents.”

Dan Panesar, CRO at Certes, noted, “What makes this breach particularly uncomfortable is that it’s happening after years of significant government investment in preventative cyber controls.

“The UK government and the National Cyber Security Centre have spent tens of millions of pounds rolling out defences like Protective DNS (PDNS) across public-sector organisations. PDNS is designed to block access to known malicious domains, and aims to significantly reduce threats like ransomware, malware, and phishing.

“But incidents like this underline the significant limits of this approach. Blocking bad domains protects the front door; it doesn’t protect the data once an attacker gets inside or sits dormant in the system.”

The public sector must adopt the same strategy as the private: protecting data at rest inside the network, not just the front gates.