A London council has written to hundreds of thousands of residents to warn them that criminals may use details leaked via a cyber attack last year to target them for scams. At the end of November, Kensington and Chelsea was one of three west London councils that suffered an outage that was quickly attributed to a cyber attack. A week later, the council confirmed that personal data was likely leaked, though it stressed it was only “historical data”.
Now, a spokesperson for the council has said the attackers had “criminal intent”, with the council website adding that sensitive data and personal information that could impact residents had been accessed by the attackers. The head of the council, Elizabeth Campbell, said the “serious” breach required action from the council, with an update in the middle of December saying 100,000 households had already been contacted with warnings following the attack. A spokesperson told ITPro the letters were sent out at the beginning of December, and the message references the attack of “two weeks ago”.
“We decided to go out immediately and say to people this is what’s happened, this data has been copied and it has been taken and you should be aware therefore you are at risk,” the spokesperson said. In a copy of the letter shared with ITPro by the council, recipients are advised to be wary of scam messages, check online accounts for unusual activity, and report any suspicious activity to the National Cyber Security Centre (NCSC).
“Like any local authority, it was always possible that our systems could come under attack and therefore we had invested significantly in our digital, data and technology services over many years,” Campbell said in the letter. “This meant that we had a cyber defence system that was able to spot this attack quickly and protect much of our infrastructure, and the infrastructure of others, as best as possible.”
Campbell added: “Despite this, we do believe that some data has been copied and taken. It is important to say we still have access to this information, but it is possible a copy could end up in the public domain. As a priority we are checking if this contains any personal or financial details of residents, customers, and service users. This may take months and we will update residents at every step.” The council is now “going through all the documentation” to spot any specific risks and will contact individuals directly if affected, though it noted that work may take months.
Similarly, the local authority said it was checking which details in files may have been accessed, admitting that work may yield nothing, but said “we want to make sure we turn over every stone.”
The attack began on the morning of 24 November and was immediately spotted by staff at Kensington and Chelsea, who took steps to isolate systems. A week later, the council admitted some data had been accessed, including sensitive information; however, it stressed the data was not encrypted by the attackers, such as in a ransomware attack, and therefore remained accessible to the council.
Hammersmith and Fulham Council and Westminster City Council were the other two local authorities hit by the outage, as the three organisations share some systems. Hammersmith has said it so far appears its systems were not compromised, while Westminster confirmed that “limited data” had been breached.
Image source: The Royal Borough of Kensington and Chelsea
