Two of London’s major local authorities, Kensington and Chelsea (RBKC) and Westminster City Council, have declared emergency measures after a large-scale cyber attack disrupted critical public services earlier this week.
The incident was detected on Monday morning, and both councils moved quickly to shut down systems to contain the threat. Phone lines, online services, and multiple core platforms were affected, including council tax checks, parking fine payments, and public-facing websites. Engineers worked through the night on Monday and Tuesday to stabilise the infrastructure.
Both councils share parts of their IT environment, and some systems are also used by Hammersmith and Fulham, which is now assessing the potential impact. As a precaution, the affected councils have informed the Information Commissioner’s Office.
At the moment, the authorities say the identity and motive of the attackers are unknown. It is also not yet clear whether any data has been compromised. They are working with specialist cyber incident response teams and the National Cyber Security Centre to investigate and restore services.
The disruption has caused delays across departments, and residents have been warned to expect continued outages as systems are rebuilt and secured.
A wider pattern for London
Hackney Council, which was not targeted in this attack, notified its staff that intelligence suggests multiple London councils have been targeted in the last 24 to 48 hours. This has raised concerns that this may not be an isolated incident, but part of a coordinated effort aimed at public sector infrastructure.
Why this matters for every organisation
If well-funded councils with internal IT teams and government support can be shut down so quickly, it highlights a brutal truth. Most small and medium organisations operate with far weaker defences, and far more to lose.
Public sector attacks often begin with something simple. A phishing email. An unpatched system. A single staff login that wasn’t secured with MFA. Once the attacker is inside, the consequences move quickly, and the cost multiplies by the hour.
Incidents like this remind us that cyber resilience is not optional. It is the difference between a temporary inconvenience and a total operational shutdown.
What organisations should do now
Here are the actions we recommend for all businesses and public sector organisations:
• Review incident response plans and make sure they are active, current, and tested
• Check backups are isolated, recent, and actually recoverable
• Patch critical systems immediately
• Implement MFA across all key services
• Run phishing simulations and refresher training for staff
• Perform a full exposure scan for known vulnerabilities
• Review supplier access and third party connections
• Carry out at least a basic cyber hygiene audit
If you want a structured, non technical way to check your exposure, download the L5CyberTech Cyber Resilience Checklist. It covers the fundamentals that prevent most successful attacks.
And if you are worried about your current set up, need practical advice, or, worse still, you have already been the victim of a cyber attack or ransomware demand, get in touch with us.
We can help you work out what has really happened, what to do in the next few hours, and how to harden your systems so you are not an easy target next time.