Multiple London councils remain partially offline nearly three months after a cyberattack that compromised shared legacy systems, exposing the fragility of municipal IT infrastructure and the persistent threat from hacktivist groups targeting local government.
The digital recovery of London's local government is proving to be a marathon, not a sprint. Months after a coordinated cyberattack struck several boroughs, residents and staff are still navigating a patchwork of restored services and lingering disruptions, highlighting the severe operational impact of compromising municipal IT infrastructure.
The incident, which first came to light in late 2025, primarily affected the West London boroughs of Hammersmith & Fulham, Westminster City, and Kensington and Chelsea. According to the Local Government & Social Care Ombudsman, the attack exploited shared legacy systems, a common vulnerability in public sector IT where outdated platforms are often interconnected for efficiency but create a single point of failure.
Hammersmith & Fulham Council, which has made the most progress, announced in late January 2026 that online and telephone payments have resumed. However, the council cautions that some council tax and housing rent account balances may not be fully current. Suppliers have been urged to continue submitting invoices, though a "small backlog" may delay payments. The council's status page shows most services are available, but some remain down, and phone support lines are experiencing lengthy wait times.
The council's official statement clarifies the attack vector: "A cybersecurity incident in a neighboring council last November affected some shared legacy H&F systems." While H&F isolated its network and claims no evidence of its own systems being compromised, the incident forced a temporary suspension of public-facing applications. The council has since introduced "enhanced security measures" and is investigating potential impacts on historic data.
The situation is more severe in other boroughs. Westminster City Council faces ongoing disruptions, with direct debits suspended until after January. Missed payments will be spread across the remaining months of the financial year, leading to larger-than-normal future bills. Critical services remain unavailable, including the ordering of birth, death, and marriage certificates, school applications, library cards, and free school meal applications.
The Royal Borough of Kensington & Chelsea, which confirmed the attack was criminal in intent and resulted in data compromise, is still unable to process some resident payments. Its council tax team lacks access to systems and emails. The council warns that a full system restoration could take months, and the investigation remains ongoing in collaboration with law enforcement and international cybersecurity agencies.
Kensington & Chelsea provided a stark indicator of the threat environment, reporting it blocked over 113,000 phishing attempts between June and September 2025 alone. This underscores the relentless nature of attacks facing UK local authorities.
This incident is not an isolated event but part of a broader pattern. The UK's National Cyber Security Centre (NCSC), the cyber arm of GCHQ, recently warned that local authorities are primary targets for pro-Russia hacktivist groups. These attacks are often not technically sophisticated but are designed to cause costly disruption and erode public trust. The NCSC's advisory emphasizes that the goal is often disruption rather than high-value data theft, though the two frequently coincide.
The recovery timeline for local government is inherently slow. Unlike a private corporation, councils cannot simply restore from a backup and resume operations. They manage critical life services—social care, housing, benefits, and emergency responses—where any downtime has direct human consequences. The need to ensure systems are not only clean but also compliant with data protection regulations like GDPR before bringing them back online adds significant complexity and time.
The shared legacy systems mentioned in the H&F statement are a known challenge. Many councils operate on a patchwork of systems, some decades old, built for a pre-cloud era. Integrating these with modern web services creates a complex attack surface. Migrating to modern, secure platforms is a multi-year, multi-million-pound endeavor for most boroughs, leaving them vulnerable in the interim.
The human cost is also significant. Council staff, already stretched thin, are now managing recovery while fielding frustrated resident queries. The psychological toll of a sustained cyber incident, coupled with the pressure to restore services, contributes to burnout and operational fatigue.
This event serves as a case study in the fragility of public sector digital infrastructure. It demonstrates that resilience is not just about having backups, but about architectural design, legacy system management, and the capacity for rapid isolation. The fact that a single incident could ripple across multiple boroughs through shared systems points to a systemic risk that requires coordinated, cross-council investment and strategy.
For residents, the experience is a tangible reminder of their dependence on digital public services. The inability to order a birth certificate or apply for a school place is not merely an inconvenience; it can block access to fundamental rights and services. The financial impact of delayed payments and adjusted bills adds another layer of stress.
The path forward involves more than just patching systems. It requires a fundamental re-evaluation of how local government IT is funded, designed, and secured. The NCSC's guidance and the government's push for improved cyber resilience in the public sector will be critical, but the pace of change must match the pace of the threat.
As these London boroughs continue their slow climb back to full functionality, they serve as a warning to other local authorities and public institutions. The attack on London's councils is a stark illustration that in the realm of cybersecurity, the most disruptive threats are not always the most technically advanced, but those that target the foundational systems society relies upon every day.
Relevant URLs:
- Hammersmith & Fulham Council Status Page (Example - actual URL would be specific to the council)
- UK National Cyber Security Centre (NCSC) Advisory on Local Government Threats
- Local Government & Social Care Ombudsman
- Information Commissioner's Office (ICO) Guidance on Cybersecurity
Comments
Please log in or register to join the discussion