In October 2023
Rhysida, a
hacker group, attacked the online information systems of the
British Library. They demanded a ransom of 20
bitcoin, at the time around
£596,000, to restore services and return the stolen data. When the British Library did not acquiesce to the attempt, Rhysida publicly released approximately 600GB of leaked material online. It has been described as "one of the worst cyber incidents in British history".[1]
The main catalogue returned online on 15 January 2024 in a
read-only format, though some of the library's services are expected to remain unavailable for months. The British Library will use about 40 percent of its financial reserves, around
£6–7 million, to recover from the attack.
Background
The
British Library is a
non-departmental public body which in 2023 held around 14 million books, as well as millions of other items.[2][3] It is the largest library in the United Kingdom.[4] The Library was protected by
firewalls and
antivirus software but was not using
multi-factor authentication (MFA), and had installed a new Terminal Services server in February 2020 to facilitate
remote access to third-party providers and internal IT administrators during the
COVID-19 pandemic; this was the server on which unauthorised access was first detected during the attack. In 2020, the lack of MFA on the server was raised as a risk; a Library report later stated that "the possible consequences were perhaps under-appraised".[5]
Rhysida is a
hacker group and "
ransomware as a service" provider already known for its attacks on vital infrastructure such as schools, hospitals and government agencies, having become known to
intelligence services in May 2023.[3][6] It had previously attacked the
Chilean Army, a medical research lab in Australia, and health-care company Prospect Medical Holdings.[6]
28 October: At 9:54 a.m.
GMT, The British Library states on
Twitter that it is experiencing "technical issues affecting our website". By midmorning, issues include a public
Wi-Fi outage and non-functional online catalogue.[6][3][8]
29 October: The Library announces on
Twitter that it is experiencing a "technology outage".[6]
30 October: The Library reopens after the weekend "in a pre-digital state", according to The New Yorker. Its website, phone lines, ticket sales, reader registrations, and card transactions are non-functional. Deliveries from the Library's
Boston Spa site are put on hold.[6]
31October: The Library confirms publicly that the outage is the consequence of a cyberattack.[9] It launches an investigation alongside the
National Cyber Security Centre (NCSC) and other
cybersecurity specialists.[10]
16 November: An attempt at digital extortion, also known as a ransomware attack, is confirmed by the Library.[9]
20 November: Rhysida claims responsibility for the breach and launches a week-long auction for 490,191 files of data on the
dark web, opening bidding at 20
bitcoin, at the time equivalent to about
£596,000, for a single buyer.[2][6] It sets the auction deadline to 8 a.m.
GMT on 27 November and advertises it with
low-resolution images which appear to show
HM Revenue and Customsemployment contracts and
passport information.[2][4] It claims the data is "exclusive, unique and impressive".[3] The Library states that the leaked data appears to be from its internal
human resources files.[4]
27 November: Rhysida makes 90 percent of the stolen data, approximately 600
GB, freely available for anyone on the
dark web to download after the British Library refuses to pay the ransom.[6][11]
2024
5 January: The Library announces it will use around 40 percent of its financial reserves to recover from the attack, estimated at around £6–7 million.[12]
10 January: The Library announces that some of its services will return online from 15 January, with access stated by
Roly Keating, chief executive of the Library, to be "slower and more manual" than before the attack. Keating apologises that "for the past two months researchers who rely for their studies and in some cases for their livelihoods on access to the library's collection have been deprived of it".[13][14]
15 January: The British Library's main online catalogue is restored in a
read-only format. Users are able to search the main catalogue, but the process of checking availability and ordering items is different. Access to key
special collections is restored but for in-person visits only.[13][14][15][16]
8 March:Roly Keating authors a blog post to the British Library website announcing the availability of a report that "gives a description and timeline of the attack, to the best of our current understanding, and its implications for the Library’s operations, future infrastructure and risk assessment."[17][18] The report announced that it was undertaking a "Rebuild & Renew" scheme "to ensure its future ability to respond to incidents of a similar scale in a consistent and structured way", including a "considerable shift" away from on-site technologies and onto the
cloud.[5]
Attack methods
The Library stated that the attackers probably used a
phishing,
spear-phishing or
brute-force attack facilitated by a compromise of third-party credentials as well as a lack of use of multi-factor authentication by the library. After gaining access, Rhysida used three methods to identify and copy the 600GB of documents during the attack, including personal details of Library users and staff. These were:[5]
A targeted attack that copied full sections of
network drives of the Library's Finance, Technology and People teams, which made up 60% of all content copied.
A
keyword attack which scanned for files and folders that used sensitive keywords in their names, including 'passport' or 'confidential', which constituted 40% of the copied data and included files from
corporate networks and personal drives used by staff.
A hijacking of native utilities, which were than used to forcibly create backup copies of 22 databases of data including contact details of external users and customers.
Furthermore, Rhysida and its affiliates destroyed servers to inhibit system recovery and
forensic analysis.[5]
Impact
While the process of calculating the full financial impact of the attack is ongoing,[5] there were a number of impacts to the functioning of the library following the attack. These include:
Library items from its
Boston Spa branch could not be transferred to the London site.[8]
Around 20,000 writers, illustrators and translators who usually received
Public Lending Right payments from borrowed books had their payments delayed.[19][8]
The Library's 2024–25 visiting fellowship programme was suspended.[8]
The computerised catalogue was offline for months, with partial restoration in January 2024.[8]
An estimated £6–7 million in costs to recover from the attack.[12]
As of 16 May 2024, British Library electronic resources web pages redirect to a page with the statement, "We're continuing to experience a major technology outage as a result of a cyber-attack. Our buildings are open as usual, however, the outage is still affecting our website, online systems and services, as well as some onsite services. This is a temporary website, with limited content, which outlines the services that are currently available, as well as what's on at the Library."[20]