Cyber Attack on London Councils: What Businesses Must Know

On 24 November 2025, IT systems across three central London boroughs went dark.

The Royal Borough of Kensington and Chelsea, Westminster City Council, and the London Borough of Hammersmith and Fulham were all taken offline in what investigators treated as a coordinated cyber incident, with the National Crime Agency, the Metropolitan Police, and the National Cyber Security Centre all subsequently involved. Kensington and Chelsea later confirmed that attackers had copied and exfiltrated historical data from its systems. The three councils share parts of their IT infrastructure, and that shared architecture is precisely what made a single compromise so consequential.

For London businesses, a cyber attack on this scale should make you think: if three neighbouring councils sharing IT can be brought down by a single compromise, what would a similar event do to your operation?

Shared infrastructure, shared exposure

The logic of shared IT services is sound on paper. Pooling resources across organisations reduces costs, avoids duplication, and often improves the quality of systems that no single entity could afford alone. Plenty of other organisations, from NHS trusts to private businesses, operate on the same principle, and so do most SMEs, albeit in a different form. Whether you rely on a cloud platform, a managed IT provider, or a suite of SaaS tools, your digital environment is connected to other organisations’ environments in ways that are not always visible.

The councils’ experience illustrates what happens when a shared system is compromised at a point that sits upstream of multiple tenants. One vulnerability, one set of stolen credentials, one unpatched entry point, and the blast radius extends to every organisation drawing on the same infrastructure. Hammersmith and Fulham had its public-facing services suspended even though investigators found no direct evidence its own systems had been breached. Proximity to a shared service was enough to force significant disruption.

The lesson isn’t that shared services are inherently unsafe, but that the junctions where dependencies converge need proportionate security controls. If you don’t know where those junctions sit in your own environment, you can’t defend them.

The SME picture

The UK Government’s Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cyber security breach or attack in the preceding year. For large businesses the figure was considerably higher, at 74%. IT security in London has historically been framed as an enterprise concern, but the economics of automated attack tooling have closed that gap. Those tools probe for weaknesses across thousands of targets simultaneously, and a small business using the same cloud platform or managed service as a larger target can find itself caught in the same sweep.

Most London SMEs are, in practice, running a version of the shared-services model: cloud-hosted email, third-party CRM, outsourced IT support, and shared accounting platforms. Every one of those connections is a potential entry point. The council’s incident is unusual in scale, but the underlying mechanics are not: one compromised account, one exploited system, cascading disruption. The same pattern plays out against businesses of every size.

Organisations that contain these incidents quickly almost always have one thing in common: visibility before the attack gets underway, rather than defences only at the point of impact.

The window before the breach

A common misconception is that cyber incidents begin the moment attackers enter a network. Instead, they begin weeks or months earlier, when credentials are stolen, traded, and eventually used. According to IBM’s 2024 Cost of a Data Breach Report, breaches involving compromised credentials took the longest of any attack vector to identify and contain, at nearly ten months. That is a significant window during which stolen credentials may be circulating on dark web forums before anyone inside the affected organisation is aware.

The attack on the councils almost certainly followed a similar pattern. Ransomware and data exfiltration events of this scale do not typically happen spontaneously. Attackers gather information, test access, and move deliberately. The starting point is almost always stolen credentials: an employee’s login, a service account password, or an email address paired with a reused password from an older breach.

Dark web monitoring addresses that gap. Rather than waiting for a breach to become visible inside your own systems, it scans the forums, marketplaces, and encrypted channels where stolen credentials are bought and sold and raises an alert when your organisation’s data appears. The window between a credential being stolen and it being used is often the only opportunity to invalidate it before it causes damage. Most London businesses are not watching that window at all.

4TC’s Digital ID service monitors the dark web continuously for email credentials and other company data associated with your domain. If your team’s logins surface in a breach dump or credential marketplace, you will know about it before an attacker uses them to gain access to your systems. It complements broader security measures such as managed anti-virus, fully managed IT support, and cloud backup.

A practical takeaway

The attack on the councils made headlines because it hit recognisable names in a concentrated area. The same dynamics are at work across businesses of every size: shared dependencies, credential-based entry points, and long detection windows that give attackers time to move. The councils had the NCA, NCSC, and specialist incident responders from NCC Group called in. Most SMEs do not have that infrastructure to fall back on.

Business continuity in a cyber attack scenario often comes down to how quickly the first indicators are spotted. Credentials circulating on the dark web are one of the earliest. The more practical response is to reduce the window in which an attacker can operate undetected, and that starts with knowing whether your credentials are already out there.

Find out how 4TC’s dark web monitoring can give your business an early warning against credential theft. Get in touch with the team today.