Info Gov

Three West London boroughs have promised a comprehensive review of their shared IT arrangements following a major cyber incident that disrupted services and led to evidence of data theft.

Westminster City Council, the Royal Borough of Kensington and Chelsea (RBKC), and Hammersmith and Fulham Councils confirmed that hackers accessed and copied residents’ personal data. In response, leaders across the boroughs have pledged to conduct an independent review of their shared services model, examining both governance and resilience “when the time is right”.

Council representatives said the review will:
• Assess vulnerabilities in the shared IT infrastructure.
• Scrutinise contractual arrangements with service providers to ensure accountability.
• Recommend reforms to strengthen cyber resilience and protect residents’ data.
• Report publicly on findings to maintain transparency and rebuild trust.

Services Still Disrupted
While the councils work to restore systems, residents continue to face disruption with online portals for housing and benefits still unavailable and-customer service lines have been intermittently down. Meanwhile, the Local Government Ombudsman has paused new complaints against the affected councils to allow recovery efforts. The councils said that it may take months for its systems to be running as normal.

The leader of Kensington and Chelsea Council, Elizabeth Campbell, said the authority is working with the Information Commissioner and the National Cyber Security Centre (NCSC), to establish what happened.

Also in this section

Jul 13, 2026

ICO refreshes law enforcement subject access guidance following DUAA 2025

The Information Commissioner's Office has updated its detailed guidance on the right of access under part 3 of the Data Protection Act 2018, incorporating the changes made by the Data (Use and Access) Act 2025 to how competent authorities handle subject access requests for law enforcement processing.
Jul 07, 2026

Section 166 application dismissed after ICO opens fresh investigations into school, council and diocese data sharing

The First-tier Tribunal (General Regulatory Chamber) has dismissed an application under section 166(2) of the Data Protection Act 2018 against the Information Commissioner, despite finding that the regulator's original response to a school employee's data sharing complaint was not an outcome to the Applicant's complaints, because a series of further investigations and outcome letters issued after…

InfoGov Masthead Newsletter 800