We are responding to a cybersecurity issue

Cyber-attack and recovery 

Following a cyber attack on Monday 24 November which affected many of our systems, we are still working hard to restore services. Continue to check our FAQs are which are updated regularly. They will provide you with the latest information about how we are restoring services, and are the best way to stay up to date. 
Impact on your services and progress Some of our systems remain disrupted, or are operating using temporary arrangements. 
This means: 

• slower service response times 
• difficulties in collecting payments and making payments 
• Direct Debit collections issues, but please do expect us to still collect as soon as systems are back online 
• housing and social care administration issues 

Essential services, including those supporting vulnerable residents, are being prioritised. 
Our customer service centre is open Monday to Friday 9am to 5pm for walk-in enquiries and our phone lines are now working although there may be longer waiting times. 

Next steps 

Our investigation is ongoing and will take several months, due to the complex nature of the attack and the data involved, and the need to restart many of our systems. 

We are committed to sharing accurate updates as soon as new information becomes available. 

We will write to individuals if any sensitive data has been released. 

We continue to work closely with law enforcement and cybersecurity agencies here and internationally to investigate the incident. 

We understand this is a worrying situation, and we thank residents, local partners, and our own staff for their patience and cooperation. 

We have established a cyber recovery team who are helping to restore and improve services. Our staff are here and ready to help. 

What we now know about the attack 

Following extensive investigation with cybersecurity specialists from NCC Group and independent forensic experts, we can confirm that this was a cyber-attack with criminal intent, with data copied and taken away. 

Our cybersecurity team detected and contained the attack quickly. There is no evidence of any lateral movement, so we believe the attack was stopped before it spread to third-party systems that help us provide services and store data. 

We confirmed a data breach with the Information Commissioner's Office at the earliest opportunity. We are now investigating that breach for any sensitive data. Small samples show that some of the resident data copied is likely to contain sensitive data and personal information. 

It is possible that any data copied and taken from us could be misused or published. We are planning accordingly for this, working with law enforcement at every step. 

Read and follow National Cyber Security Centre advice on keeping your data safe and what to do if you are worried about a data breach. 

• Data breaches: guidance for individuals and families 
• Top tips for staying secure online

We are taking steps to work through the data in accordance with ICO and legal rules and will be in touch with residents directly. We recognise the sensitivity and importance of this work. 

What our work involves 

• Checking details in files that may have been accessed; much of this will yield nothing, but we want to make sure we turn over every stone 
• Prioritising checks for any sensitive personal data or information about vulnerable individuals, but it will take months to check everything thoroughly. 
• Coordinating with Westminster City Council and London Borough of Hammersmith and Fulham, and working with law enforcement agencies and the National Cyber Security Centre to track data and any criminality. 
• Our approach is to be open and transparent at every step, but also to not cause unnecessary alarm where it may not be warranted, or compromise an ongoing criminal investigation. 

Why has the Council been attacked? 

Investigations are still ongoing, but it is not unusual for councils and other public sector organisations to be targeted in cyber-attacks – especially by criminals looking for personal information or sensitive data.

In fact most local authorities are under constant attack. In 2024, the local government sector reported over 150 incidents to the Information Commissioner's Office.

Here at RBKC, we deal with cybercrime-related activity and issues on an almost daily basis. For example, between June and September this year, the Council intercepted and isolated over 113,000 phishing attempts, mainly by email. We spend £12 million a year on Digital, Data, and Technology, but this is the first time in our history that an attack has been so disruptive. 

Support for residents and partners 

We have already written to over 100,000 households with guidance on what to do if you are worried about the breach. Translated versions are also available. 

We continue to direct people to trusted advice from the National Cyber Security Centre on protecting yourself from fraud, scams, or identity misuse, and what to do when an organisation suffers a data breach at the hands of cybercriminals. 

We encourage everyone to be vigilant. Criminals may use information obtained from this breach to make scams seem more legitimate. Please take extra care with: 

• unexpected emails or messages requesting financial or personal information 
• links or attachments you were not expecting 
• contacts claiming to be the Council but asking you to provide sensitive details 

If in doubt, use our published contact routes rather than replying directly.