Kensington and Chelsea Council Warns Residents Following Serious Data Breach

Kensington and Chelsea Council has begun notifying residents about a significant data security incident it suffered last year, in which threat actors infiltrated its internal network and stole confidential data.

 

On 24 November, RBKC suffered a significant cyber attack that disrupted shared IT systems with Westminster City Council, impacting multiple platforms, including phone lines and online services used by around 360,000 residents. As a precaution, both councils shut down several systems to contain the intrusion.

 

External cyber security experts, along with the UK’s National Cyber Security Centre, worked around the clock to stabilise operations and restore services. Key functions—such as checking council tax bills and paying parking fines—remained limited, and the RBKC website experienced intermittent availability while security fixes were ongoing.

 

The councils activated their business continuity and emergency plans to maintain essential services, prioritising support for vulnerable residents. They also notified the Information Commissioner’s Office in line with their incident response obligations.

 

In a recent update, RBKC said its investigation revealed that the threat actors who infiltrated its internal network had “criminal intent, with data copied and taken away.”

 

“Our cybersecurity team detected and contained the attack quickly. There is no evidence of any lateral movement, so we believe the attack was stopped before it spread to third-party systems that help us provide services and store data,” the council said.

 

RBKC added that while its investigation is ongoing, “small samples show that some of the resident data copied is likely to contain sensitive data and personal information.” The council said it is coordinating with Westminster City Council and the London Borough of Hammersmith and Fulham, and working with law enforcement agencies and the NCSC to track the data and any related criminal activity.

 

“We have already written to over 100,000 households with guidance on what to do if you are worried about the breach. We continue to direct people to trusted advice from the National Cyber Security Centre on protecting yourself from fraud, scams, or identity misuse, and what to do when an organisation suffers a data breach at the hands of cyber criminals,” RBKC added.