23 April 2026 Retrospectives Patrowl Team
You like this content ?
Share it on the networks
UK local authorities are on the front line of a rapidly escalating cyber threat. As the bodies responsible for delivering essential public services, councils have become high-value targets for cybercriminals, ransomware gangs, and even state-sponsored actors.
The scale of the threat is no longer theoretical. In 2024, the UK was the most targeted country in Europe for cyberattacks, with over 40% of UK businesses and organisations experiencing incidents, equivalent to more than 600,000 organisations. For local authorities operating under relentless financial pressure, the consequences of a successful attack can be devastating and long-lasting.
Many UK councils rely on IT environments that have accumulated over decades without being fundamentally redesigned. The result is a patchwork of outdated software, unsupported platforms, and inconsistent security controls. Precisely the conditions that attackers look to exploit.
The problem extends to central government too, offering a stark illustration of the challenge. By March 2024, government auditors had identified at least 228 legacy IT systems across in-scope departments, with 28% flagged as presenting a high likelihood of operational and security risks. In March 2024, departments did not have fully funded plans to remediate around half of government's legacy IT assets, leaving these systems increasingly vulnerable to attack.
Analysts note that public bodies across the UK often rely on legacy systems that are harder to secure and more costly to maintain, while operating under tight budget constraints.
There is also a patchwork of accountability for cyber risk across departments, agencies, and arm's-length bodies that can slow responses to incidents and weaken oversight.
The UK government estimated that it used nearly half of its £4.7 billion IT expenditure to keep legacy systems running, budget that could otherwise fund modernisation and security uplift.
A Growing External Attack Surface
Digitalisation has expanded the attack surface of every UK council dramatically. Services that were once paper-based or in-person are now delivered through online portals, cloud platforms, and third-party providers, each representing a potential entry point for attackers.
This expansion includes online service portals for council tax, planning, and benefits; remote access systems for hybrid-working staff; cloud-based document management and communications tools; and third-party suppliers handling housing, payroll, and social care software. Digital transformation programmes have increased connectivity and data sharing between systems, which can expand the potential attack surface if controls do not keep pace.
Beyond technology, councils face an acute human resource challenge. Nearly half of UK businesses and 58% of government organisations report basic cyber skills gaps, according to the 2025 Cyber Security Skills in the UK Labour Market report. Public sector organisations compete with private sector salaries they often cannot match, leaving many councils without dedicated security expertise.
Organisations like local councils and NHS hospitals are viewed as "low-hanging fruit" by cyber threat actors, as they often lack cybersecurity resources and expertise compared to private sector entities.
Several factors make them particularly attractive:
Sensitive data at scale. Councils hold some of the most sensitive personal data in the country: housing records, social care files, benefit claims, planning applications, and children's services information. This data is highly valuable on the criminal marketplace and equally damaging when exposed publicly.
Operational criticality. Disrupting a council's IT systems does not merely inconvenience staff. It halts services that vulnerable people depend on. This urgency makes councils more likely to pay a ransom to restore operations quickly.
Inconsistent security maturity. Cybersecurity investment varies significantly between councils. Some have dedicated security teams and mature risk frameworks; others have little more than basic antivirus software. Attackers can afford to be selective, moving on to softer targets when resistance is encountered.
Supply chain exposure. A single compromised supplier can bring down multiple councils simultaneously. In August 2024, a cyberattack on housing software provider Locata caused the housing websites for three councils (Manchester, Salford, and Bolton) to be suspended, leaving thousands of residents unable to access services and exposing a "small amount" of personal data.
The overall UK threat environment has deteriorated markedly.
The NCSC dealt with 204 "nationally significant" cyberattacks against the UK in the 12 months to August 2025, a sharp rise from 89 in the previous year. Of a total of 429 incidents handled, 18 were categorised as "highly significant", meaning they had the potential to have a serious impact on essential services — an almost 50% increase on the previous year, and an increase for the third consecutive year.
The number of nationally significant incidents rose from 63 in 2022 to 204 in 2025, while those classed as "highly significant" rose from just one in 2022 to 18 in 2025.
The impact of cyberattacks on local authorities is not abstract. Several high-profile incidents from 2024 alone illustrate the scale of disruption and long-term costs councils face.
Leicester City Council (March 2024). Leicester City Council was subject to a critical ransomware attack on 8 March 2024, causing IT systems and phone lines to be temporarily disabled. The attack caused significant disruption to crucial services for several weeks, including child protection, adult social care, and homeless services. One unexpected consequence was IoT interference that caused streetlamps to remain on continuously. A total of 3TB of sensitive data was claimed to have been stolen by ransomware group Inc Ransom, with 1.3TB subsequently leaked online — including rent statements, personal identification documents, and council house purchase applications affecting up to 400,000 residents.
Hackney Council, a cautionary tale on recovery costs. The 2020 ransomware attack on Hackney Council in London remains one of the starkest examples of long-term cyber damage. The council has made an overspend of £37 million to remediate the damages, with portions of the budget allocated to hiring staff to clear backlogs and IT consultants to prevent future breaches. An ICO investigation found significant gaps in security processes and data protection.
Co-ordinated DDoS campaign (October 2024). By the end of October 2024, numerous UK councils experienced DDoS attacks that temporarily disabled website services. The group behind the co-ordinated campaign was NoName057(16), a prolific pro-Russian hacktivist collective targeting countries supporting Ukraine.
These examples are not outliers, they represent a pattern. While the immediate damage from many incidents can be mitigated within weeks, recovery efforts often span several years, incurring substantial and sustained costs for affected organisations.
The financial impact of cyberattacks on the UK public sector is significant and growing. KPMG estimates that the average cost of a significant cyberattack for a UK organisation is almost £195,000. When scaled to an annual UK cost, this amounts to £14.7 billion.
For local authorities, costs accumulate across multiple dimensions: emergency IT consultancy and incident response; ransom payments (though paying is strongly discouraged); legal obligations under GDPR, including ICO reporting and potential fines; compensation for affected residents; and long-term system remediation and security uplift.
Beyond direct costs, the reputational damage from exposing citizen data can erode public trust in digital services. This makes residents less willing to engage with online platforms that councils need them to use.
The UK government has acknowledged the severity of the threat facing public services.
In January 2026, it launched a £210 million Cyber Action Plan, establishing a new Government Cyber Unit to coordinate defences across departments. The plan's 108-page document revealed that nearly a third of government technology systems run on legacy platforms that sophisticated attackers can easily compromise, with ministers advised that government security risk is "critically high".
The Cyber Security and Resilience Bill, introduced to Parliament in November 2025, will extend mandatory security requirements and incident reporting obligations to a broader range of organisations, including digital service providers that councils rely on. This legislative shift signals that the regulatory environment around local authority cybersecurity is tightening. Councils that fail to improve their posture face both heightened attack risk and growing compliance exposure.
Managing cyber risk effectively does not require unlimited budgets. It requires a structured, risk-based approach focused on the areas of greatest exposure.
You cannot protect what you cannot see. Many councils lack a comprehensive, up-to-date inventory of their external attack surface — the systems, subdomains, APIs, and cloud services accessible from the internet. External Attack Surface Management (EASM) tools can automate this discovery process, continuously identifying exposed assets and flagging vulnerabilities before attackers find them.
With hybrid working now standard across local government, remote access systems represent a major risk vector. Implementing multi-factor authentication (MFA) across all remote access points, enforcing strong password policies, and regularly auditing VPN and remote desktop configurations are foundational steps that significantly reduce exposure.
The Locata and Synnovis attacks demonstrate that council security is only as strong as the weakest link in its supply chain. Local authorities should conduct regular security assessments of their key suppliers, require minimum security standards in procurement contracts, and have clear incident response plans for supplier-side breaches.
Unpatched vulnerabilities in internet-facing systems remain one of the most common attack vectors. Establishing a regular, prioritised patching schedule (with particular focus on externally accessible systems) closes many of the entry points that attackers rely on.
The NCSC has reiterated that barriers to improving cyber resilience are not purely technical but are also market- and culture-driven, calling on all leaders to take responsibility for their organisation's cyber resilience. Regular staff awareness training, clear escalation procedures for suspected incidents, and leadership commitment to cybersecurity investment are as important as any technical control.
UK local authorities face a cybersecurity challenge that is structural, financial, and operational all at once. The combination of legacy systems, expanding digital services, limited budgets, and a rapidly worsening threat landscape creates conditions that attackers are actively exploiting.
The incidents of 2024 show that the question is no longer whether a council will face a cyberattack, but when, and how prepared it will be when it happens.
Taking a proactive approach to external attack surface management, third-party risk, and security culture is no longer optional. It is the baseline required to protect public services, safeguard citizen data, and maintain the trust that local government depends on.
Discover how Patrowl helps local authorities continuously monitor, detect, and remediate cyber exposures before attackers can exploit them.
