Hammersmith and Fulham Council faces a high risk of cyber attacks, according to a report presented to the Audit Committee. The council's IT systems were compromised in a cyber incident in late November 2025, which led to a disconnection from finance, payroll, and HR systems until mid-January 2026.
Despite the council's efforts to isolate, protect, and secure its systems with the help of a cyber security incident response provider, the risk of future attacks remains a significant concern. The external audit plan for the financial year 2025/26 identified IT system compromise due to cyber-attacks
as a key risk (Risk 3) on the Corporate Risk Register.
During the Audit Committee meeting on March 16, 2026, a verbal report on cyber security arrangements was scheduled to cover the recent incident, actions taken, and the council's response. The report noted that while the council has restored full operations and there is no current evidence of systems being compromised, the risk persists.
Internal audit's plan for 2026/27 also highlights the need to review business continuity plans in light of the recent cyber incident. The audit of IT Governance & Policy
and Business Continuity
are scheduled to assess the robustness and effectiveness of these plans and how lessons learned are being managed across the council.
The council's risk management update presented to the committee also flagged Cyber Attack/ Data Breach
as a high-impact, high-likelihood risk (Risk 3). Mitigation actions include maintaining layered security controls, regular vulnerability scanning, following guidance from the National Cyber Security Centre, and working with regional and national partners to stay prepared for emerging threats.
