Info Gov

A coordinated cyber attack has forced three London boroughs - Westminster City Council, the Royal Borough of Kensington & Chelsea (RBKC), and Hammersmith & Fulham - to shut down parts of their IT infrastructure after detecting suspicious activity earlier this week.

Officials have confirmed that data was accessed and copied from council systems, though early indications suggest the breach relates to historical records. RBKC has warned that while the information remains available to the councils, there is a risk it could be published online. Investigations are ongoing to determine whether personal or financial details of residents and service users are affected.

The incident has left residents struggling to contact their councils, with phone lines and online portals intermittently unavailable. All three councils have “activated emergency plans” to maintain critical services, including housing, social care, and waste collection.

The Information Commissioner’s Office (ICO) has been notified due to the potential compromise of personal data. The National Cyber Security Centre (NCSC) is working with the boroughs to isolate affected systems, restore functionality, and prevent further spread across shared IT networks.

Investigations by the National Crime Agency (NCA) and NCSC remain ongoing, with councils urging residents to remain vigilant for potential phishing attempts or misuse of personal data. Updates are expected as forensic analysis clarifies the scope of the breach and the measures required to restore full service continuity.

Also in this section

Jul 13, 2026

ICO refreshes law enforcement subject access guidance following DUAA 2025

The Information Commissioner's Office has updated its detailed guidance on the right of access under part 3 of the Data Protection Act 2018, incorporating the changes made by the Data (Use and Access) Act 2025 to how competent authorities handle subject access requests for law enforcement processing.
Jul 07, 2026

Section 166 application dismissed after ICO opens fresh investigations into school, council and diocese data sharing

The First-tier Tribunal (General Regulatory Chamber) has dismissed an application under section 166(2) of the Data Protection Act 2018 against the Information Commissioner, despite finding that the regulator's original response to a school employee's data sharing complaint was not an outcome to the Applicant's complaints, because a series of further investigations and outcome letters issued after…

InfoGov Masthead Newsletter 800