The British Library suffered a serious ransomware attack in late 2023. The library admitted that its security measures were not up to the task of preventing the attack. Its very complex technological estate, consisting of various collections built on outdated legacy systems, presented a wide attack surface and exacerbated the outcome of the attack.
Once they had recovered their systems, they published a case study of their experience in the hope it would help other organisations avoid the same mistakes they made.
Below is a concise summary of what happened, its implications, and lessons learned:
The Attack
- Date: October 28, 2023
- Method: Ransomware attack by the Rhysida gang
- Breach: Attackers encrypted and destroyed servers, exfiltrated 600 GB of data
- Entry Point: Likely via compromised privileged account credentials, possibly through phishing
Impact
- 600 GB of Data Loss: Personal data of users and staff stolen
- Ransom: The Library did not pay ransom, and the data was auctioned on the dark web
- System Damage: Severe damage to server estate, inhibiting recovery efforts
- Service Disruption: Almost all library users, staff, and key stakeholders were impacted by the attack in some way. The library was able to stay open, but access to its research services was severely limited
- Financial Impact: Significant costs related to infrastructure rebuild and recovery
Crisis Response
- Immediate Action: Gold and Silver crisis management teams activated
- Support: Consultation with the National Cyber Security Centre (NCSC) and specialist advisers
- Communication: Regular updates via social media and direct email to users and staff
Recovery and Rebuild
- Programme: Rebuild & Renew initiative launched in December 2023
- Phases: Immediate crisis management, interim solutions, and long-term infrastructure renewal
- Rebuilding: The Library had to undergo a complete revamp of its technical infrastructure and modernisation of its security environment and library services
- Technology Shift: Return to old systems proved difficult. Recovery was done with an emphasis on modern, secure infrastructure and cloud-based solutions
Key Lessons Learned
- Network Monitoring: Enhance capabilities to cover all areas, especially legacy systems.
- Multi-Factor Authentication (MFA): Implement MFA across all access points.
- Intrusion Response: Conduct in-depth reviews after any signs of intrusion.
- Network Segmentation: Limit attack damage by modernising network design.
- Business Continuity: Regularly practise plans for complete system outages.
- Holistic Cyber-Risk Management: Ensure senior management understands and manages cyber-risks comprehensively.
- Legacy System Management: Prioritise the elimination and updating of legacy systems.
- Staff Training: Regular cyber-security training tailored to roles and emerging threats.
- Wellbeing Management: Include provisions for staff and user support during cyber incidents.
- Collaboration: Share information and best practices with peers to enhance sector-wide security.
Moving Forward
- Strategic Vision: Align recovery with the British Library’s Knowledge Matters strategy.
- Modernization: Focus on creating a resilient, secure, and innovative infrastructure.
- Enhanced Security: Embed security deeply into all technology and operational processes.
- Change Management: Foster a culture of adaptability and resilience across the organisation.
