Dark Web Threats to UK Councils

July 22, 2025

In an increasingly volatile cyber security landscape, no organization is safe from cyber attacks. One group of organizations which has been increasingly targeted by ransomware groups and other threat actors is UK councils which are the local level of government in the UK.  

In this blog we will explore what UK councils are and how they have been subjected to cyber attacks in recent times.  

What are UK Councils? 

Councils, which are also known as local authorities are the local level of government in the UK. They are responsible for delivering public services, which can range from social care and schools to roads and transport, trash collection and recycling, housing and planning permission as well as the management of parks, recreational areas and libraries. They are responsible for large swathes of local life in the UK, and all residents pay a council tax in order to receive and maintain services.  

Councils are run by locally elected officials, who are responsible for making decisions on budgets, policies and the services that are provided. Often councils will have a lead, often the mayor who is either directly elected by local residents or selected from the councilors. There will also be non-political officers, or civil servants, that will run day to day operations.  

There are also different types of councils depending on where they are located and the communities that they support.  In England these form a tier system:  

  • Two-tier system (mainly in shire counties like Kent or Hampshire): 
    • County Councils 
      • Handle large-scale services like education, social care, and transport. 
    • District/Borough Councils 
      • Handle local services like housing, waste collection, and planning. 
  • Single-tier system (in cities and urban areas): 
    • Unitary Authorities 
      • Handle all services. 
    • Metropolitan Boroughs 
      • Do everything in large urban areas (e.g., Manchester, Birmingham). 
    • London Boroughs 
      • Each borough (like Camden or Croydon) has its own council. 
    • Greater London Authority (GLA) 
      • Oversees strategic issues like transport (TfL), policing, and planning. 

UK councils face a wide range of cybersecurity threats due to the large volumes of sensitive data they manage (e.g. social services, housing, benefits, and education). 

Cyber Security Threats 

There are multiple types of cyber threats that can affect local councils, here we summarize some of the common attacks we have seen conducted.  

Ransomware Attacks 

Ransomware attacks happen when a threat group obtains access to a network and encrypts the data demanding a ransom to return the information to the owner. More and more these attacks also include the theft of data and making this available on Dark web sites. This can have very serious ramifications for councils given the services that they support. It can stop them being able to carry out these services as well as exposing sensitive personal information.  

Figure 1: InterLock Ransomware group share data from West Lothian Council 

Data Breaches 

A data breach can occur in many ways but ultimately is when sensitive or protected data is made publicly available when it should not be. Councils can fall victim to this either through bad security practices or because they are victim of a hacking attack.  

Recently the Oxford City Council reported that attackers had been able to access PII data through a breach of some of their legacy systems. The information targeted largely related to individuals who had worked on local elections, including ballot counters and poll station workers.

Distributed Denial of Service (DDoS) Attacks 

A Denial-of-Service attack is when a website or service is overloaded, making the services unavailable. This can lead to council websites, where many local residents will access services and obtain support can be unavailable. Recently hacktivist groups which are associated with countries involved in conflict such as Russia, Ukraine, Palestine, Iran and Israel have been known to conduct these DDoS attacks. In some cases, they have successfully targeted council websites.  

Figure 2: Proof of DDOS against London Borough of Harrow from Palestinian affiliated hacktivist group 

Real World Incident:  

  • Perpetrator: Hacktivist group NoName057(16). 
  • Targets: Multiple local councils including Blackburn with Darwen, Exeter, and Arun District Council. 
  • Impact: Temporary website outages and service disruptions; attacks were politically motivated in response to the UK’s support for Ukraine 

Misconfigured Systems and Insider Threats 

Misconfiguration of systems can lead to public access to sensitive data due to poor configuration of databases or file-sharing platforms. When systems are not configured properly it may be possible for individuals who should not have access to this data. Similarly, an insider threat is where unintentional staff errors or malicious actors (disgruntled employees) can leak or share sensitive information or accesses.  

Supply Chain Attacks 

A supply chain attack is when an organization is targeted because of their position in the supply chain to another organization. This is usually because the targeted organization has less security and is an easier target – but can lead to information and data from other organizations in the chain being exposed.  

Real World Incident:  

  • Incident: Cyberattack on Locata, a housing service provider. 
  • Impact: Disruption of housing services for Manchester, Salford, and Bolton councils; users received phishing emails attempting to harvest personal information 

Phishing & Spear Phishing 

Phishing attacks are when emails or other communications are sent to an individual in order to gain information. They can either “trick” individuals into sharing information they shouldn’t usually by posing as someone in the organization or containing malicious links which people inadvertently click on allowing hackers to gain access to networks.  

Council members and staff are often targeted in these types of attacks. In February 2025 Hammersmith and Fulham Council reported that they face around 20,000 attempted cyber-attacks a day, and that the majority of these consist of phishing attempts. 

Conclusion 

Local authorities have become a popular target for cyber criminals in recent years, thanks to the large amount of valuable personal data they hold, often-outdated IT systems, and comparatively poor cybersecurity budgets. Councils need to take more proactive measures to combat the increasing threat. Some of the actions that can be taken: 

  • Adopting advanced threat detection systems and regular security assessments. 
  • Conducting cybersecurity awareness programs for staff to prevent phishing and other social engineering attacks. 
  • Developing and regularly updating incident response plans to swiftly address breaches. 
  • Working closely with national bodies to share intelligence and best practices. The NCSC is the point of contact for cyber incidents in the UK. 

Curious to learn more? Contact us.

Explore the Products

Button Product Vision
Vision UI ›
Button Product Search
Search API ›
Button Product Entity
Entity API ›
Button Product Score
DarkSonar API ›
Button Product Score
Score API ›
Button Ransomware API
Ransomware API ›
Button Product Datafeeds
Datafeeds ›

See why DarkOwl is the Leader in Darknet Data

Get a Demo
Get a Demo

Products

Services

Use Cases

Company

Copyright © 2026 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.