The Royal Borough of Kensington and Chelsea (RBKC) in Greater London is in the process of contacting households across the borough after establishing in December that personal data on thousands of residents was stolen in a cyber attack on shared systems operated by the council.
Over a month after the incident, several services remain disrupted or are operating in a limited capacity. Residents may experience longer service response times, difficulties with revenue or benefits processing and delays to payments and Direct Debits, and issues with housing and social care.
RBKC did not reveal the precise nature of the data it knows to have been exfiltrated, but council leader Elizabeth Campbell told the BBC that RBKC was being proactive in informing people who may be potential victims.
“We decided to go out immediately and say to people this is what’s happened, this data has been copied and it has been taken and you should be aware therefore you are at risk,” she said.
“We are now going through all the documentation to see if there are specific places where we know that someone’s been at risk – and then we will contact them directly.”
In the meantime, RBKC is directing residents to follow established advice and guidance from the UK’s National Cyber Security Centre (NCSC) on protecting oneself from cyber criminal activity such as digital fraud or identity theft, and staying safe online.
Residents should be especially alert to unexpected emails or messages asking for financial or personal information – particularly those that imply a sense of threat or urgency; ignore any unsolicited attachments or links; and interrogate any inbound contacts from individuals purporting to be from RBKC Council who ask for sensitive details.
Keven Knight, CEO of Talion, a managed security services provider, said: “It’s not clear exactly what data was compromised, but given that councils hold highly sensitive personal information on residents … it could provide an attacker with the opportunity to craft highly convincing and tailored phishing correspondence that could be used to dupe victims further.
“One of the other major concerns is that this type of data can’t be easily changed, so once it lands in an attacker’s hands, it stays there forever.
“Residents are therefore advised to be extremely cautious of any correspondence around the incident – whether coming in via email, phone calls or post. All victims have this breach in common, so it is likely attackers will use the incident as their first opportunity to dupe victims,” said Knight.
Daily attacks
RBKC said it was dealing with cyber crime and related issues almost daily, highlighting that it stopped and isolated over 113,000 phishing attempts against its systems in the third quarter of 2025 alone.
“It is not unusual for councils and other public sector organisations to be targeted in cyber-attacks – especially by criminals looking for personal information or sensitive data,” a spokesperson said. “In fact most local authorities are under constant attack. In 2024, the local government sector reported over 150 incidents to the Information Commissioner’s Office.”
The council still believes that thanks to the nature of the attack and the data involved it will take several months to complete its investigation and remediation.
Meanwhile, the wider investigation into the incident, drawing in RBKC’s neighbouring councils, Hammersmith and Fulham and the City of Westminster, continues.
All three councils share access to as-yet unspecified IT systems owned by RBKC, and prior to the festive break, Westminster City Council also confirmed that its “potentially sensitive and personal” data was also exfiltrated by the unnamed threat actors.
Strategic limits
Dan Panesar, chief revenue officer at data protection and risk mitigation (DPRM) specialist Certes, said it was “particularly uncomfortable” that breaches continue to hit organisations such as RBKC and its neighbours given the UK government has ploughed millions of pounds into cyber defences.
Unfortunately, RBKC’s experience highlights the strategic limits of a defensive approach to security, he suggested.
“Local authorities hold some of the most sensitive data in society, social care, housing and safeguarding records and once that data is copied, no amount of ‘containment’ can reverse the damage,” said Panesar.
“The real issue is strategy. Public-sector cyber defence is still overly focused on keeping attackers out, rather than assuming compromise and making stolen data unusable. Until those changes are made, these breaches will continue regardless of how much is spent on perimeter controls.”