More on the cyber-attack on RBKC Council in November 2025.
I’ve been trying to find out how on earth the cyber-attack in November against RBKC Council actually happened. I heard there had been recent confidential briefings to two committees, both of which I sat on for many of my 20 years on the Council. As Leader of the Independent Group on the Council (until 7 May anyway) I imagined I’d be privy to this information.
I asked nicely. I was refused.
If the confidential briefing had been shared with me, I would of course have kept it confidential. There are strict rules around matters under police investigation and rightly so.
Without this information I’ve had to do my own digging from what I can find in the public domain, trawling Agendas and Minutes. I may have missed some bits but you will get the gist. It’s bad.
Between 2012 and 2014 I was Chair of Cabinet and Corporate Services Scrutiny Committee (CCSSC), which had oversight of various issues plus Key Decisions. This included the ‘unintended outcome’ (ie, predictable disaster) of the Triborough arrangements with Hammersmith and Fulham and Westminster Councils. It was claimed this joint working would save £100m, but it was utter chaos, and cost RBKC a great deal of money – £10m on one contract alone. BT was launching a new system for ‘managed services’ including payroll, HR and financial management, and persuaded the then CEO to buy it. Committee members of all parties were concerned, especially me. One of the recurring issues was attempting to make the different software systems across the Council interface or ‘speak to each other’. Some of them, we found, were nearing ‘end of life’ and could no longer be updated for security, or had to be re-contracted for a period while the changeover took place.
After numerous delays and corrections, the new system eventually went live in 2015, and almost immediately was found to be faulty. It didn’t have capacity to accommodate changes to salary, pensions, holidays, sick pay. Some teaching staff weren’t paid for months and were defaulting on their rent or mortgages, some residents were getting threats from bailiffs when they had indeed paid their Council Tax – and that’s just two incidents of many. It was a catastrophe. The Council eventually began dissociating itself in 2018, and finally ended the contract in 2019; then the Court case began. A predictable and predicted disaster.
Red Flag no 1
For a while we used a half decent system run by Hampshire Council for payroll, HR, etc, then contracted a new system from Oracle. My dates are hazy on this as I wasn’t on any relevant committees, but it was eventually taken on and staff retrained. In November 2024 the Oversight and Scrutiny Committee (OSC), which took over the responsibility of the previous CCSSC, was already considering making savings to the contract. One committee member asked about the effect of the proposed cuts to cybersecurity, and to how the Council was handling data. A response to this concern was ‘.. because of the uncoupling of IT functions from Westminster the Council still had some way to go in terms of digital transformation’.
‘Transformation’, by the way, is the new euphemism for ‘efficiencies’ – or more bluntly ‘cuts’.
Red Flag no 2
In March 2025 the Council’s auditors reported a significant risk to the implementation of the new Oracle system that handled finance, HR and payments, of ‘incomplete or inaccurate transfer of data to the new ledger’, and ‘… this risk is heightened by the necessity for manual data manipulation during the transfer process’.
Red Flag no 3
On 17 June 2025 a group of Council residents on the Tenants Consultative Committee (TCC) reported back from a deep dive into the Council’s Housing Management (HM) reporting and IT systems for repairs, maintenance and communications, which were – to put it politely – struggling. The report was called ‘Repairing Trust: a resident led review of the housing service’ and was presented to the TCC, senior housing officers and the Director of Housing. It stated that ‘the housing website was out of date and had ‘obsolete information’, with ‘gaps in IT systems’ and that ‘current tools do not interface smoothly’.
Red Flag no 4
In August the Social Housing Regulator gave the Council a shameful C3 (second to worst) rating for failing to keep one-third of its homes up to Decent Homes standard; as we know the repairs system was partially run by an ageing IT system.
Red Flag no 5
In July 2025 the Local Government Association (LGA) Corporate Peer Challenge ‘identified digital, HR and procurement as key areas where stronger collaboration and alignment could help drive more efficient working … RBKC operates within a complex landscape of digital platforms and legacy systems ..’. Again – legacy systems.
Given these repeated warnings it is incomprehensible that the obsolete, insecure and weak systems in use were not promptly updated, removed or replaced; instead the Grenfell Council had been considering cuts.
On 24 November 2025 the Council was subjected to a comprehensive cyber-attack which froze all planning, licensing, finance and HR, and data was stolen. Latest estimates are that it might not be fully recovered until the end of 2027.
The alarming report from TCC residents was discussed in the Housing and Communities Scrutiny Committee on 4 March 2026, in the context of the cyber-attack. The TCC group complained that their findings published the previous June had been ignored, despite being seen by the relevant Lead Councillors and senior officers. They repeated that they had found a long-standing security risk from ‘platforms that are not there’, that HM was using ‘obsolete technology’ that was past end of life and no longer updated. One system had been ‘unsupported’ since 2012. They stated ‘One of the findings we reported if somebody wants to hack RBKC they don’t really need to try that much if the platform is based on X’ – [a discontinued, unsupported plug-in].
Once again the Council ignored warnings from wise and well-informed residents, which led to a totally catastrophic outcome. Sound familiar?
The carefully orchestrated and cheery response of ‘this could have happened to anyone’ from the Council leadership doesn’t wash after a series of warnings over an entire year. I await a comment along the lines of: ‘This new challenge gives us an exciting opportunity to excel.’
They don’t listen and they never learn.