Data stolen in Kensington and Chelsea cyber attack

The personal details of hundreds of thousands of people may have been stolen in a cyber attack on a west London council.

Kensington and Chelsea Council has written to warn households that criminals could use the information to make scams seem legitimate, and advised people to be vigilant.

A spokesperson said the attack was carried out "with criminal intent" and said residents to be wary of unexpected calls, messages, links or attachments, or anyone claiming to be from the council asking for sensitive details.

They said small samples of the data accessed by hackers showed some of it was likely to contain sensitive data and personal information.

Cyber security expert Graeme Stewart said local authorities "get targeted because they have got a lot of really, really interesting data.

"So if you think about what local authorities do, they're providing social care, they've got housing records - this information has real value to the the attackers."

He also said local authorities "operate under real pressure the whole time as they're currently always under budget scrutiny, things like that.

"Cyber attackers don't have any moral scruples. They will basically go for the easiest targets that they can. Quite a lot of these local authorities get attacked all the time and most of the time it won't work - but eventually someone's going to get through."

Stewart said the attacks worked "a bit like they planted digital verruca in the system, and it sits in there and it can be dormant for absolutely ages and then they can choose to set this thing off and cause all kinds of problems.

"So the problem with it is, is until you've found the malicious code, the actual attack itself, you're still at the mercy of this thing going off."

Kensington and Chelsea Council, which shares some affected services with Westminster City Council and Hammersmith and Fulham Council, said the three councils were working together with the National Cyber Security Centre to track data.

The council said it was not uncommon for public sector bodies to be the target of a cyber attack, and in 2024 more than 150 incidents in the local government sector were reported to the Information Commissioner's Office.

• National Cyber Security Centre advice on keeping your data safe and what to do if you are worried about a data breach
• Tips on keeping your information safe and staying secure online

An update on the Kensington and Chelsea Council website said council officers were "planning accordingly" and "working with law enforcement at every step".

The council told the Local Democracy Reporting Service its cybersecurity team detected and contained the attack "quickly" and they "don't believe" hackers accessed third-party systems that help provide services and store data.

The authority is also checking files that may have been accessed and is prioritising those belonging to vulnerable individuals.

It said it could take months to check everything thoroughly.

Elizabeth Campbell, leader of the council, said the breach was "serious", which was why the authority had been proactive in notifying potential victims.

"We decided to go out immediately and say to people this is what's happened, this data has been copied and it has been taken and you should be aware therefore you are at risk.

"In the meantime we are now going through all the documentation to see if there are specific places where we know that someone's been at risk - and then we will contact them directly."

The Met's Cyber Crime Unit said inquiries were ongoing, no arrests had been made and it was "unable to go into details around what information has been accessed and would advise contacting the relevant authorities".

Listen to the best of BBC Radio London on Sounds and follow BBC London on Facebook, X and Instagram. Send your story ideas to [email protected]