Hundreds of thousands of residents in west London may have had their personal information exposed following a cyber attack on Kensington and Chelsea Council. The council has written to households to alert them that criminals could use the stolen data to make scams appear genuine.
A spokesperson for the council confirmed the attack was carried out “with criminal intent”, urging residents to remain cautious when responding to unexpected calls, messages, emails, or anyone claiming to be from the council requesting sensitive information.
Small samples of the data accessed suggest that some contained sensitive personal information, potentially putting vulnerable residents at risk.
Cybersecurity expert Graeme Stewart explained on the BBC why local authorities are frequent targets: “Councils hold a lot of valuable data—housing records, social care details, and more. Attackers see these organisations as rich sources of information.”
He added: “Authorities operate under constant budget pressures, which cyber attackers exploit. They have no moral scruples and will target the weakest points. Most attacks fail, but eventually, someone breaks through.”
Stewart likened the attacks to a “digital verruca”: malicious code that can remain dormant in systems for long periods before being triggered to cause widespread disruption.
Kensington and Chelsea Council works closely with Westminster City Council and Hammersmith and Fulham Council. The three authorities are collaborating with the National Cyber Security Centre to monitor the incident.
Council leader Elizabeth Campbell described the breach as “serious” and said the authority acted immediately to notify residents: “We decided to go out immediately and inform people. This data has been copied, it has been taken, and you should be aware you are at risk. Where we identify particularly vulnerable individuals, we will contact them directly.”
The council confirmed its cybersecurity team detected and contained the attack swiftly. Officials believe third-party systems that support council services were not accessed, but checking all potentially affected files may take months, particularly those concerning vulnerable residents.
In 2024 alone, more than 150 cybersecurity incidents were reported across local government to the Information Commissioner’s Office, highlighting the ongoing risks faced by public sector organisations.
The Metropolitan Police Cyber Crime Unit continues to investigate. No arrests have been made, and authorities are advising residents to contact the council and take precautions if they suspect their personal information may have been compromised.
Residents are urged to remain vigilant online, verify any communication claiming to be from the council, and follow guidance from the National Cyber Security Centre on staying safe from scams and data breaches.
