Personal data belonging to hundreds of thousands of people is believed to have been stolen in a cyber attack on Kensington and Chelsea Council.
Households have been warned by the west London council to be wary of unexpected calls, messages and links and that the information could be used to make scams seem legitimate.
Small samples of the data hacked by the criminals show it is likely to contain sensitive personal information, and residents should be wary of anyone claiming to be a council worker who asks for details.
The council shares some of its affected services with Westminster City Council and Hammersmith and Fulham Council, which were also impacted. All three are working with the National Cyber Security Centre (NCSC) to track the data.
As a result, they have written to over 100,000 households with guidance and have warned residents to use the councils published contact routes if they have any concerns.
The council’s most recent update on its website said officers were “planning accordingly” and “working with law enforcement at every step”, and that they did not believe the hackers had succeeded in accessing third-party systems that help provide services.
The council are also checking files that may have been accessed and prioritising those belonging to vulnerable individuals, but it could take months for the operation to be completed.
In 2024, there were more than 150 incidents of reported cyber attacks in the local government sector that were reported to the Information Commissioner’s Office (ICO).
Speaking to the BBC, cyber security expert Graeme Stewart said local authorities are targeted because “they have got a lot of really, really interesting data”.
“Cyber attackers don’t have any moral scruples. They will basically go for the easiest targets that they can. Quite a lot of these local authorities get attacked all the time and most of the time it won’t work – but eventually someone’s going to get through,” he said.
He also said local authorities “operate under real pressure the whole time as they’re currently always under budget scrutiny, things like that”.
Elizabeth Campbell, leader of the council, said: “We decided to go out immediately and say to people this is what’s happened, this data has been copied and it has been taken and you should be aware therefore you are at risk.
“In the meantime, we are now going through all the documentation to see if there are specific places where we know that someone’s been at risk – and then we will contact them directly.”
The Met’s Cyber Crime Unit said inquiries were ongoing and no arrests had been made.
