Three London councils are responding to a major cybersecurity incident that has disrupted public services and triggered alerts across the capital. The Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council (WCC), and Hammersmith and Fulham Council confirmed on Tuesday evening (November 25) that they were investigating a serious Account Takeover Fraud–related cyber issue affecting shared systems. The situation has raised concerns as local authorities increase monitoring and coordinate with national agencies to understand the scale of the London councils cyberattack.

London Councils Confirm Cybersecurity Incident

RBKC issued an official statement revealing that both its systems and those of Westminster City Council were impacted by what it described as a “cyber security issue.” The London councils cyberattack incident, detected early on Monday morning (November 24), prompted both councils to notify the UK Information Commissioner’s Office (ICO) and work closely with the National Cyber Security Centre (NCSC) and specialist cyber incident responders. Officials said the focus remains on securing systems, protecting data, and restoring essential services. The first public indication of disruption came when RBKC posted on X around 1pm on Monday, warning of “system issues” affecting online services. By Tuesday morning, the council described the situation as a “serious IT issue,” confirming wider service interruptions as investigations continued. [caption id="attachment_107162" align="aligncenter" width="488"] Source: X[/caption] WCC issued a similar update, explaining that its computer networks were temporarily shut down as a precaution. The council apologised to residents for the inconvenience but emphasised that immediate action was necessary to prevent further impact. “We are taking swift and effective action to bring all our systems back online as soon as possible,” the council stated on its website. Emergency contact numbers were provided for urgent issues.

Multiple London Authorities Heighten Threat Levels

In the wake of the London councils cyberattack, Hackney Council circulated an internal “urgent communication,” warning staff that intelligence indicated multiple London councils had been targeted by cyberattacks within the last 24 to 48 hours. As a result, the borough escalated its internal cyber threat level to Critical. Hackney officials have experience responding to major cybersecurity incidents, following a severe attack in 2020 that affected hundreds of thousands of residents and staff. Hammersmith and Fulham Council also reported that it had responded to a serious cybersecurity incident, although the local authority stated that, so far, there was no evidence that its systems had been breached. Across the affected boroughs, several IT systems, online portals, and phone lines remain disrupted. To maintain essential services, councils activated business continuity and emergency plans, prioritising support for vulnerable residents. Additional staff have been assigned to monitor phone lines and emails while restoration work continues.

Authorities Investigating Potential Data Exposure

RBKC and WCC noted that it is still too early to determine the root cause, the extent of the incident, or whether any personal data has been compromised. However, officials confirmed that investigations are underway to determine whether the attack involved techniques similar to Account Takeover Fraud or other targeted compromise attempts. “We don’t have all the answers yet,” RBKC said, “but we know people will have concerns, so we will be updating residents and partners further over the coming days.” Council IT teams worked overnight on Monday to apply several mitigation measures, and officials said they remain vigilant for any potential follow-up attempts.

National Agencies Monitoring the Situation

A spokesperson for the National Cyber Security Centre confirmed awareness of the incident and said the agency is “working to understand any potential impact.” The NCSC continues to support local authorities in managing the wider threat. The Metropolitan Police Cyber Crime Unit also confirmed it received a referral from Action Fraud on Monday following reports of a suspected cyber-attack against several London borough councils. “Enquiries remain in the early stages,” a spokesperson said, adding that no arrests have been made so far. All affected councils apologised for the disruption and urged residents to expect delays in accessing some services. They also committed to providing further updates as system recovery progresses. For concerns related to Westminster or Hammersmith and Fulham, residents were advised to contact those authorities directly.

American Food delivery platform DoorDash has disclosed a DoorDash cybersecurity incident after an unauthorized third party accessed certain user information through a targeted social engineering attack. The company confirmed that the DoorDash data breach affected an unspecified number of users but clarified that no sensitive or financial information was accessed. According to DoorDash’s public statement, the incident began when a company employee was manipulated into granting access through a social engineering scam. This reflects a rising trend where attackers exploit human behavior rather than system weaknesses, posing significant risks even to companies with mature cybersecurity programs.

DoorDash Cybersecurity Incident: Social Engineering Identified as the Root Cause

The company revealed that threat actors did not rely on malware or exploit software vulnerabilities. Instead, they used deceptive tactics to influence an employee and gain initial access. This form of attack continues to challenge organizations, as technical security controls often cannot prevent human error. DoorDash stated that its response team quickly identified the data breach, shut down unauthorized access, and initiated an internal investigation. The company has also referred the matter to law enforcement.

What Information Was Accessed in DoorDash Data Breach

DoorDash confirmed that some users, spanning consumers, Dashers, and merchants, were impacted. The type of user information accessed varied and may have included:

• First and last name
• Phone number
• Email address
• Physical address

The company emphasized that no sensitive information such as Social Security numbers, government-issued IDs, driver’s license details, bank information, or payment card data was compromised in DoorDash cybersecurity incident. DoorDash added that it has no evidence of fraud, identity theft, or misuse of the accessed information.

DoorDash Response and Security Enhancements

Following the DoorDash cybersecurity incident, the company implemented several measures to strengthen its cybersecurity posture. These steps include:

• Deploying new security system enhancements to detect and block similar malicious activities
• Increasing employee security awareness training focused on social engineering threats
• Engaging an external cybersecurity firm to assist in the investigation and provide expert guidance
• Coordinating with law enforcement for ongoing inquiry

DoorDash reiterated its commitment to improving user security, stating that it strives to “get 1% better every day” and protect user privacy through continuous improvements.

User Notifications and Support

The company noted that affected users have been notified where required under applicable laws. To address concerns and questions, DoorDash has set up a dedicated call center available in English and French for users in the U.S., Canada, and international regions. Users seeking more information can contact the hotline using reference code B155060. DoorDash also clarified that customers of Wolt or Deliveroo were not impacted by this incident, as the breach was limited exclusively to DoorDash systems and data. Guidance for Users While no sensitive data was compromised, DoorDash advised users to remain cautious of unsolicited communications requesting personal information. The company warned users to avoid clicking suspicious links or downloading unexpected attachments, as such tactics are commonly used in social engineering attacks. DoorDash stated that users do not need to take any immediate action to protect their accounts, as the compromised information was limited to basic contact details and there is no evidence of misuse.

A cybersecurity incident at Eurofiber France was officially confirmed after the company identified unauthorized activity on November 13, 2025. The incident involved a software vulnerability that allowed a malicious actor to access data from Eurofiber France’s ticket management platform and the ATE customer portal. According to the company, the situation is now under control, with systems secured and additional protective measures implemented.

Cybersecurity Incident Impacted Ticketing Platform and ATE Portal

Eurofiber France stated that the cybersecurity incident affected its central ticket management platform used by regional brands Eurafibre, FullSave, Netiwan, and Avelia. It also impacted the ATE portal, part of Eurofiber France’s cloud services operating under the Eurofiber Cloud Infra France brand. The company confirmed that the attacker exploited a software vulnerability in this shared environment, leading to the exfiltration of customer-related data. The company emphasized that the incident is limited to customers in France using the affected platforms. Customers using Eurofiber services in Belgium, Germany, or the Netherlands, including Eurofiber Cloud Infra in the Netherlands, were not impacted. Eurofiber also noted that the effect on indirect sales and wholesale partners within France remains minimal, as most partners operate on separate systems.

Immediate Response and Containment Measures

Within hours of detecting the breach, Eurofiber France placed both the ticketing platform and the ATE portal under reinforced security. The vulnerability was patched, and additional layers of protection were deployed. The company said its internal teams, working alongside external cybersecurity experts, are now focused on assisting customers in assessing and managing the impact. Eurofiber clarified that no sensitive financial information, such as bank details or regulated critical data stored in other systems, was compromised. All services remained fully operational during the attack, and there was no disruption to customer connectivity or service availability. Customers were notified immediately after the breach was detected. Eurofiber stated it would continue to update affected organizations transparently as the investigation progresses.

Regulatory Notifications and Ongoing Investigation

In line with European regulatory requirements, Eurofiber France has notified the CNIL (France’s Data Protection Authority under GDPR) and reported the incident to ANSSI (the French National Cybersecurity Agency). A police complaint has also been filed in connection with an extortion attempt linked to the attack. The company reaffirmed its commitment to transparency, data protection, and cybersecurity throughout the remediation process.

External Research Points to Larger Data Exposure

International Cyber Digest, a third-party cybersecurity research group, reported that the breach may have exposed information belonging to approximately 3,600 customers. According to their analysis, the threat actor — who identifies as “ByteToBreach” — gained full access to Eurofiber’s GLPI database, including client data, support tickets, internal messages, passwords, and API keys. Researchers noted that Eurofiber’s GLPI installation may have been operating on versions 10.0.7–10.0.14, potentially outdated and vulnerable. The attacker, in comments shared with the researchers, claimed to have executed a slow, time-based SQL injection attack and extracted nearly 10,000 password hashes over a period of 10 days. They reportedly used administrator-level API keys to download internal documents and customer PII. ByteToBreach also claimed to have contacted both GLPI’s developer, Teclib, and Eurofiber to negotiate ransom demands. According to the research group, those attempts received no response. Eurofiber France operates over 76,000 kilometers of fiber network and 11 data centers, serving between 9,000 and 12,000 business and government customers. The company’s French clientele includes several major public institutions and private-sector organizations. Eurofiber France reiterated that all systems have now been secured and that enhanced monitoring and preventive measures are in place. The company said its teams remain fully mobilized until the cybersecurity incident is completely resolved.