A cyber security expert has issued a stark warning that the recent cyber attack targeting two London councils is likely "far more serious" than officials are publicly admitting.
Critical Systems Compromised
The Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council, which share IT infrastructure serving approximately 360,000 residents, confirmed systems across both authorities were affected by the incident that began on Monday, November 24.
Engineers worked through the night as the threat emerged, with memos circulating to other London councils by Tuesday morning warning of the security breach. By Tuesday evening, RBKC confirmed that experts from the National Cyber Security Centre (NCSC) were assisting with efforts to protect data, restore systems and maintain critical services.
Internal memos seen by the Local Democracy Reporting Service reveal the council has taken drastic measures including cutting off internet access and instructing staff to work from home. While staff can still access Microsoft Teams, Outlook and guest Wi-Fi, the council doesn't anticipate full restoration of affected systems "for some days".
Telling Signs of Serious Breach
Graeme Stewart, director of public sector at cyber security firm Check Point Software, told MyLondon that the involvement of the Information Commissioner's Office (ICO) provides crucial insight into the severity of the incident.
"The telling bit in this is the Information Commissioner's Office. That's your clue when you look at a cyber attack that it's more serious," said Stewart, who has over 25 years of experience dealing with such incidents.
"No one is going to basically contact the ICO unless it's serious and it involves section 108. So the inference you can make is there has been some kind of data loss."
Section 108 of the Data Protection Act 2018 requires data controllers to notify the Commissioner of a personal data breach immediately upon discovery. Stewart noted that the additional involvement of the Metropolitan Police Cyber Unit and NCSC further indicates the attack "must be quite serious".
Vulnerable Residents at Risk
Mr Stewart expressed particular concern about the impact on society's most vulnerable members, stating he still finds it "sickening" that hackers target essential public services.
"The most vulnerable get disproportionately affected by these things because they disproportionately use local government services," he explained.
The consequences of compromised council systems can be severe, especially for people with care needs. Stewart referenced the incident at King's College Hospital NHS Foundation Trust where a patient death was directly linked to a cyber attack that affected thousands of treatments, operations and appointments.
While RBKC hasn't revealed the nature of the attack, Stewart suggested the worst-case scenario would be a ransomware attack demanding millions in payment. He described ransomware as functioning "like a digital verruca" that buries itself in systems before activating to take everything offline.
Massive Financial Implications
The financial impact of such attacks can be staggering, with recovery costs often running into millions. Hackney Council continues to bear costs in the hundreds of thousands for agency staff and IT consultants following a 2020 hack, while Gloucester Council's recovery from a 2021 attack exceeded £1.1 million by 2023. The 2020 cyber attack on Redcar Council cost more than £10 million.
"These things have massive implications. It's not just an irritation that you can't phone up and complain that your wheelie bin hasn't been picked up," Stewart emphasised.
RBKC, which spends £12 million annually on IT and security systems including the latest Microsoft Defender protection, has established the cause of the incident and implemented "successful mitigations". However, the council isn't sharing details while investigations with the National Crime Agency and NCSC continue.
A council spokesperson confirmed that some systems, including phone lines, remain disrupted, but business continuity plans have been activated to ensure delivery of critical services, particularly for vulnerable residents.
Westminster City Council, also impacted by the attack, had no further updates to provide when approached for comment.
