‘Sensitive’ data stolen in Westminster City Council cyber attack

Westminster City Council has said that “potentially sensitive and personal” data was stolen by hackers during the cyber attack that hit three neighbouring London authorities last month.

Westminster is part of a shared IT services operation with the London Borough of Hammersmith and Fulham, and the Royal Borough of Kensington and Chelsea (RBKC), with all three affected by the attack, which was first detected on 24 November.

RBKC said four days later that it had experienced a data breach during the attack, but Westminster has now confirmed that, following further examination, its data was copied and taken by a third party that infiltrated IT systems operated by RBKC.

“The council has established that the Westminster breach involves some limited data, hosted in the Royal Borough of Kensington and Chelsea's shared IT environment, which is likely to contain some potentially sensitive and personal information,” said Westminster council in a statement published on its website.

“Work is underway to establish what exactly the data entails and how it relates to individuals, as part of a comprehensive process in line with the Information Commissioner’s Office recommendations, which will take some time to complete. The data is not lost or deleted, and there is no indication at this stage that it has been published online.”

RBKC added in a separate statement: “Following extensive investigation with cyber security specialists from NCC Group and independent forensic experts, we can confirm that this was a cyber attack with criminal intent, with data copied and taken away.”

The councils said the attack was detected quickly and they believe it was stopped before it could spread to other systems. “There is no evidence of any lateral movement,” said RBKC.

The Metropolitan Police, the National Crime Agency, and the National Cyber Security Centre are also involved in the investigation.

Westminster councillor David Boothroyd, cabinet member for finance and council reform, reassured residents that the council is doing everything possible to respond to the incident and to keep delivering services.

“Our priority is to support and protect the most vulnerable in our community, despite the disruption that is being caused. We acted quickly to secure our systems, and we are working towards restoring council services as safely and swiftly as possible, but this will take time. We remain committed to transparency and will continue to provide updates as our recovery progresses,” he said.

RBKC said it will “take months” to fully check for any further data exfiltrated from its systems. The borough said it has written to more than 100,000 households with advice on what to do if they are worried about the data breach.

“We’re working to restore all systems securely, but this will take time. Essential services, including those supporting vulnerable residents, are being prioritised,” said RBKC. “Our investigation is ongoing and will take several months, due to the complex nature of the attack and the data involved, and the need to restart many of our systems.”

Public services were affected at all three councils affected. In Hammersmith and Fulham, multiple services were affected, with most of its online offerings unavailable, including council tax accounts; business rates payments; benefits accounts; housing, including repairs; parking permits, fines and on-street bay suspensions; freedom pass applications; and property licensing.

In Westminster, the disruption also extended across multiple services, including rent and service charge payments; council tax and business rates; housing repairs; local support payment applications; community hall bookings; birth, death and marriage certificates; children’s services referrals; complaints; licensing; and online waste and recycling services, including bulky item collections and requests for more recycling bags.

The UK government also admitted today that IT systems at the Foreign, Commonwealth and Development Office were hacked in October, but insisted the attack had a “low risk” of personal data being compromised.