A series of suspected cyberattacks affecting three neighbouring London boroughs is raising concerns that the breach may point to a broader supply chain weakness in shared IT systems.
The Royal Borough of Kensington & Chelsea (RBKC) Westminster City Council, and the London Borough of Hammersmith & Fulham councils are all understood to have been affected by a suspected cyberattack.
The local authorities — which share multiple IT functions — confirmed in a joint statement that they were “responding to a cyber security issue” detected on November 24th.
The councils added that they had already informed UK data watchdog the ICO and were working with specialist incident teams and the UK’s dedicated cyber crime force, the National Cyber Security Centre, to “protect systems and data, restore systems and maintain critical services to the public.”
Joint statement from councils details extent of issue
In the official statement the boroughs acknowledged that “a number of systems are impacted…including phone lines” but added that they did not yet know who was responsible or whether any data had been compromised.
“We don’t have all the answers yet, as the management of this incident is still ongoing,” RBKC said, promising further updates when they become available.
It added that its IT teams worked through the night and a number of successful mitigations were put in place.
In a post on RBKC’s official X account it warned residents that the “serious IT issue” continued to affect its services.”
According to the BBC’s Local Democracy Reporting Service Westminster City Council said people were struggling to contact the authority.
The service noted that Hackney Council had raised the threat level to critical, but the council moved quickly to clarify that it was not one of the affected boroughs, as stated in early media reports.
“Hackney Council is unaffected by the cyber attack that is reported to be affecting some councils in London. Media reports suggesting otherwise are mistaken,” a spokesperson confirmed in a press statement on its website.
Supply chain compromise?
While the cause of the issue is still being investigated, cybersecurity experts say the scale and timing of the disruption may offer clues.
Early indications suggest that the point of entry was through shared IT infrastructure used by a tri-borough arrangement, which, while cost efficient, could also allow the attack to spread quickly.
As Megha Kumar, chief product officer and head of geopolitical risk at CyXcel puts it: “This incident shows that cost-saving shared services can create single points of failure. This incident once again highlights that hackers are targeting the weakest link in an organisation’s cybersecurity, and that is increasingly their supply chain.”
Rob Demain, CEO, e2e-assure agreed that with three London councils affected “the most plausible explanation was a shared service provider being compromised rather than each council being individually targeted."
Criminal groups, he added, often pressure managed service providers “because commercial providers are more likely to pay a ransom than public sector bodies.
If the attack does turn out to be targeted at the councils, he added, motives could range from data theft to notoriety or even state-backed disruption, though he believes the latter scenario is “less likely at this stage.”
Ian Nicholson, head of incident response at Pentest People, said interconnected systems amplify the impact of any breach.
“When environments are completely interconnected, compromise in one area quickly propagates across the whole environment,” he said.
Others warn that the decision by RBCK and Westminster to rapidly shut down systems indicates concern that the incident could escalate.
Graeme Stewart, head of public sector at Check Point, said: “The decision to shut down services so quickly isn’t an overreaction – it tells you they suspect this could escalate into encryption or data theft.
Councils, Stewart noted, hold incredibly sensitive material: social-care files, identity documents, housing records, “everything you’d need for targeted fraud or extortion.”
Raghu Nandakumara, VP of Industry Strategy at Illumio said that the incident was a reminder that “preventing every attack is an unattainable goal for stretched councils,” adding that containing breaches without shutting down services should be the long-term aim.
While Hackney Council claims to have been unaffected by the latest attacks, the London Borough suffered a serious cyber incident in 2020, which impacted about 280,000 residents and staff.
The ICO later reprimanded the council over the incident, finding examples of a lack of proper security and processes to protect personal data.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked