News

British Library shares learnings from cyber attack 

The institution says its reliance on legacy infrastructure has impacted its ability to restore services quickly in the wake of a major ransomware attack last October.

Patrick Jowett
5 min read

The British Library has published a report examining the implications of a major ransomware attack on the institution last year.

The attack, first identified on 28 October 2023, involved the copying and exfiltrating of around 600GB of files, equivalent to just under half a million individual documents. The hackers’ methods involved destructing some servers to inhibit system recovery, which the library says has had the most damaging impact.

In the review, the library says that although its security measures in place had been “extensive and had been accredited and stress-tested, with the benefit of hindsight there is much we wish we had understood better or had prioritised differently".

READ MORE:

Its series of 16 lessons learned include commissioning in-depth security reviews even after small signs of network intrusion, retaining on-call external security, fully implementing multi-factor authentication and practising comprehensive business continuity plans.

The review admits a “reliance on legacy infrastructure” has hampered the library’s ability to recover and restore services after the attack. It therefore suggests lifecycles are managed to eliminate legacy technology and remediation of issues arising from legacy technology are prioritised.

The library says this reliance means some systems cannot be restored due to their age, either because they no longer work on newer infrastructure or because there is no vendor support as they’ve reached end of life, meaning some systems will need to be “substantially modified, or even rebuilt from the ground up”. It adds that keeping infrastructure and applications current can ensure “the attack vector is reduced”.

Other lessons shared include investing in backup and recovery capabilities alongside security, ensuring all senior officers and board members have a clear and holistic understanding of cyber-risks, offering training around evolving risks to all staff and ensuring policies and guidance around acceptable use of IT are regularly reviewed. 

Lasting impact

The library says the impact of the cyber attack has been “deep and extensive”, adding that almost all areas of activity were affected to a greater or lesser extent.

While a detailed analysis of the impacted data is expected to be completed later this month, the library’s review estimates around 60% of the affected data was records belonging to its finance, technology and people teams. The other 40% is thought to have come from the hackers using sensitive keyword searches such as “passport” or “confidential” and copying files from drives used by staff for personal purposes.

The library says the attackers also created backups of 22 databases that were exfiltrated from the library’s network. Some of the databases contained the contact details of external users and customers, but it is believed no sensitive details such as banking information was compromised.

The institution’s custodianship and research departments have been most heavily hit, as they were directly impacted by the loss of core systems relating to collection access. Research services were heavily restricted for the first two months, while electronic access to some research journals remains offline today.

The library says the rebuilding of its infrastructure remains ongoing. It has secure copies of all its digital collection but has been hampered by a lack of viable infrastructure on which to restore it.

Its core email, finance, HR and payroll systems are all cloud-based and were largely unaffected by the attack. The library says it expects its balance between cloud-based and onsite technologies to shift substantially towards the former in the next 18 months, but acknowledges this will come with its own risks that will need to be actively managed.

In the wake of the attack the library continued to perform strongly in its customer-facing offers, with exhibitions and on-site cultural events exceeding targets during the period.

Financial implications

The review does not go into detail on costs, as the library says the financial impact of the attack is still under review, but reports in national press from January put the cost of the attack at around £7m. The Financial Times has reported the library will use about 40% of its reserves to rebuild its digital services. 

The library says it has not asked DCMS, its main sponsor, for any additional funds at this point.

In line with UK law, no ransom was offered, leading the hackers to put the data up for auction and onto the dark web. The library’s Corporate Information Management Unit is currently conducting a review of material included in the data-dump, and contacting individuals wherever sensitive material is identified.

Meanwhile, the Information Commissioner's Office is currently looking into the attack and is expected to publish its own findings on the incident. The library has said it will abide by any recommendations set out.

In a statement uploaded on the British Library’s blog, the institution’s Chief Executive, Sir Roly Keating, said that “the threat of aggressive and disruptive cyber-attacks is higher than it has ever been and the organisations behind these attacks are increasingly advanced in their techniques and ruthless in their willingness to destroy whole technical systems”.

“If the outcome [of the attack] is increased resilience and protection against attack for the UK collections sector and others, then at least one good thing will have emerged from this deeply damaging criminal attack,” he added.