Technology
by Öykü Işık Published 30 September 2024 in Technology • 9 min read
When the British Library fell victim to a major ransomware attack it opted for a policy of full transparency. Here we outline what government organizations, NGOs, and businesses can learn from the incident, especially if they rely on legacy systems.
The British Library is the national library of the United Kingdom and one of the world’s largest libraries. In the fall of 2023, it fell victim to a major ransomware attack that severely disrupted its operations and compromised sensitive data.
The institution decided on a strategy of full transparency and produced and published a detailed report into the causes and nature of the attack and initial recovery. The report offers important lessons for all organizations about cybersecurity vulnerabilities and crisis management. In this article, we have summarized the report’s key findings and added our own perspective and advice on the issues it raises.
The attack
On 28 October 2023, it became clear that the British Library had been hit by a ransomware attack that compromised most of its online systems. The attack, claimed by the Rhysida ransomware gang, exfiltrated data, encrypted or destroyed substantial portions of the Library’s server estate, and forcibly locked out all users from the network.
Forensic analysis indicates the attackers likely first gained access at least three days before the incident became apparent, conducting initial reconnaissance of the network. The exact point of entry could not be definitively determined, but a terminal server used for remote access by trusted partners is believed to be the source. The lack of multi-factor authentication on this server is thought to have contributed to the attackers’ ability to gain entry.
The attackers exfiltrated approximately 600GB of data – nearly 500,000 files – many from the Library’s CRM (Customer Relationship Management) database, including personal data of Library users and staff. They used targeted attacks to copy records wholesale from certain departments, as well as keyword searches to identify potentially sensitive files across the network. Multiple databases were also compromised but financial data appeared to be absent from the leak.
A few days after the attack, the Rhysida gang leaked internal HR documents on the dark web, potentially including employee passport scans and contracts. The hackers then initiated a week-long auction for the stolen data, demanding 20 bitcoin (about £600,000) for the full dataset.
Subsequently, Rhysida published 573GB of data – roughly 90% of the total stolen – on their dark web site. This suggests they failed to sell the full dataset and indicates the Library didn’t negotiate or comply with their demands, aligning with best practices for ransomware attacks.
In addition to data theft, the attackers encrypted data and systems and destroyed some servers, severely hampering the Library’s ability to recover its infrastructure. While secure backups of digital collections and metadata existed, the lack of viable infrastructure on which to restore this data was a major obstacle to recovery.
“Even after the launch of a searchable online catalog in January 2024, many digital services remained unavailable.”
Impact on operations
The attack had an extensive impact across all areas of Library activity. While the physical premises remained open, research services were severely restricted for months. Even after the launch of a searchable online catalog in January 2024, many digital services remained unavailable.
Key systems could not be restored to their previous form, either due to a lack of vendor support or incompatibility with the new secure infrastructure. Cloud-based systems like email, finance, and HR were largely unaffected. The Library continues to work to achieve the full recovery of systems and services and expects some of its most popular services will be running again during September.
The British Library
The British Library was officially created in 1973 by the British Library Act, but its origins date back much further.
It serves scholars, researchers, students, and the general public, holding over 170 million items in multiple languages and formats, including books, manuscripts, maps, newspapers, magazines, prints, drawings, music scores, and digital materials. It is based in St Pancras, an area of central London.
Its main roles include:
Legal deposit library: Receives a copy of every publication produced in the UK and Ireland
Research: Supports researchers with vast collections spanning all subjects and many centuries
Preservation: Conserves and digitizes millions of items to ensure long-term access
Cultural heritage: Holds many of the world’s most significant historical texts and artifacts
Public engagement: Hosts exhibitions, events, and educational programs
Digital services: Provides online access to many resources and catalogs
International collaboration: Partners with institutions worldwide for research and cultural exchange
Hack threatened core purpose
The incident significantly disrupted the Library’s ability to fulfill its main roles (see box above) across multiple areas. Its work on custodianship, preservation, and access to digital collections was severely impacted, and legal deposit intake was also disrupted. Research activities were hampered as researchers faced major restrictions on collection access, with many digital resources remaining unavailable for months due to the hack across a range of legacy systems.
Physical collections remained secure, and some business operations continued but with limitations, particularly in marketing capabilities. Cultural activities fared somewhat better, with exhibitions and events continuing successfully through various workarounds. Learning initiatives were affected, as on-site activities continued but online resources were unavailable. Finally, in the international sphere, most activities continued, though some partnerships experienced delays due to the disruption.
Crisis response
The library immediately activated its crisis management plans, convening its central and tactical (Gold and Silver) committees to provide strategic and operational management of the incident. External cybersecurity advisors were brought in to assist. Communication with users, staff, and stakeholders was coordinated via social media and other channels, with care taken not to share details that could aid the attackers.
In December 2023, the Library transitioned from crisis response to a formal recovery program called Rebuild & Renew. This 18-month initiative aims to not just restore disrupted services but strategically modernize and enhance Library operations to build greater long-term resilience.
“Manual data transfer processes between older systems also increased the volume of sensitive data exposed on the network.”
Infrastructure vulnerabilities
The British Library’s historically complex and diverse technology infrastructure likely contributed to the severity of the attack’s impact. Legacy systems and a complex network topology allowed attackers wider access than a more modern architecture would have permitted. Manual data transfer processes between older systems also increased the volume of sensitive data exposed on the network.
The reliance on legacy infrastructure is the primary reason for the extended recovery time, as many systems need to be migrated, modified, or entirely rebuilt to function in a modern secure environment. This highlights the importance of continual investment to keep infrastructure and applications current.
These ongoing risks highlight the need for continued vigilance and adaptability in the library's cybersecurity strategy.
Future risk mitigation
The library is leveraging the recovery process as an opportunity to implement wide-ranging improvements to its technology infrastructure and security practices. These enhancements include implementing a best-practice network design with proper segmentation, adopting a hybrid cloud computing model, and enhancing access controls and multi-factor authentication. The library is also improving backup and disaster recovery capabilities, deploying an integrated, holistic security suite, strengthening policies and governance around IT lifecycles, and consolidating key library systems onto modern, secure platforms.
Several risks will require ongoing attention as the library may face an increased threat of future attacks while embedding a security-focused culture across the organization will require a significant change management effort.
Additionally, the technology department faces major capacity and capability challenges to deliver the recovery program, and the shift to greater cloud adoption introduces new security considerations. These ongoing risks highlight the need for continued vigilance and adaptability in the library’s cybersecurity strategy.
Lessons and key takeaways
The British Library’s experience offers several key lessons for businesses as well as cultural, not-for-profit, and research institutions:
1. Enhance network monitoring capabilities to ensure full coverage across legacy and modern infrastructure.
2. Retain on-call external security expertise to enable rapid incident response.
3. Implement multi-factor authentication comprehensively, including on all external access points.
4. Conduct in-depth security reviews regularly.
5. Implement network segmentation to limit potential damage from breaches.
6. Regularly practice business continuity plans for total system outages.
7. Maintain a regularly updated and holistic view of cyber risks at senior management and supervisory board levels. This is also important from a compliance and governance perspective.
8. Focus on resilience and invest in response and recovery processes, recognizing that it’s not always possible to understand or “fix” the root cause of an intrusion.
9. Prepare for ransomware as a damage minimization game. Even with preparation, there will be damaging impacts, but the extent depends on the level of preparedness.
10. Conduct and publish detailed impact assessments of attacks on an organization’s core purposes, as exemplified by the British Library’s report.
This level of principled reporting should be considered exemplary for all organizations, public and private alike.
Transparent reporting approach also offers guidance for all organizations
The British Library’s approach to post-event reporting and transparency sets a new standard for best practices in cybersecurity incident reporting. Their detailed assessment of the attack’s impact on the library’s core purposes is particularly commendable. This level of principled reporting should be considered exemplary for all organizations, public and private alike. Some of the generic lessons learned show that an organization doesn’t need to be non-profit to benefit from such a thorough and transparent account.
Norway’s Hydro says ‘no’ to hackers – how transparency during a cyber-attack won plaudits from cyber experts and law enforcement
While the British Library is a public institution, transparency related to a cyber-attack also played out positively for a large manufacturing business.
In March 2019, Hydro, a Norwegian renewable energy and aluminum manufacturer, fell victim to a LockerGoga ransomware attack that crippled its global operations. The company decided not to pay the ransom and instead opted for a transparent approach to managing the crisis.
Hydro shut down its entire network, warned employees not to log in, and shifted to manual operations to keep production going. The company held daily press conferences and internal briefings, inviting journalists to observe their response efforts. They also used social media and fast-tracked a new website to communicate with customers and the public.
The recovery involved three teams working with Microsoft and the Norwegian National Cyber Security Center to investigate the virus, restore operations, and rebuild the network. This process took several weeks for essential systems and months for less critical ones.
The attack cost Hydro more than $80m and disrupted production for 6-8 weeks. It also highlighted the ongoing challenges in combating ransomware and the complex interplay between cybercrime, cryptocurrencies, and insurance policies.
Hydro’s response was praised as “gold standard” by law enforcement and the cybersecurity industry. Their share price increased after the attack was made public, suggesting market confidence in their approach. The openness and transparency of the response was also recognized with communications industry awards.
Exemplary transparency, but the reality may still be damage limitation
The British Library’s report goes beyond merely explaining what happened and why; it also outlines lessons learned and planned changes. This comprehensive approach should be considered standard practice and could potentially be incorporated into government expectations for private companies when they experience a breach.
The attack demonstrates that even institutions with extensive security measures can fall victim to sophisticated cyber criminals. Continual investment in modernizing infrastructure, enhancing security controls, and fostering a security-conscious culture is essential. The potential costs of prevention are far outweighed by the devastating impact of a successful attack on an institution’s operations and reputation.
It’s crucial to note that the British Library did the legally and morally right thing by not paying the ransom. However, they still suffered significant consequences, underscoring that ransomware attacks often become a process of damage minimization. Regardless of how well an organization is prepared for an attack, there will be damaging impacts, but the extent of the damage largely depends on the level of preparedness.
As our global cultural and intellectual heritage becomes increasingly digital, protecting these assets from cyber threats must be a top priority for institutions and policymakers alike. The British Library’s transparent and detailed reporting of this incident serves as a valuable learning opportunity for other organizations and could significantly improve cybersecurity practices and resilience across sectors if widely adopted.
Authors
Öykü Işık
Professor of Digital Strategy and Cybersecurity at IMD
Öykü Işık is Professor of Digital Strategy and Cybersecurity at IMD, where she leads the Cybersecurity Risk and Strategyprogram. Sheis an expert on digital resilience and the ways in which disruptive technologies challenge our society and organizations. Named on the Thinkers50 Radar 2022 list of up-and-coming global thought leaders, she helps businesses to tackle cybersecurity, data privacy, and digital ethics challenges, and enables CEOs and other executives to understand these issues.
Related
Sustainable capitalism requires boards with courage
19 September 2024 • by Paul Strebel in Governance
Here are four key focus areas to ensure boards overcome the financial and competitive pressures that prevent companies from implementing sustainable capitalism ...
Where Mario Draghi’s €800bn industrial strategy for Europe falls short
10 September 2024 • by Arturo Bris in Governance
The former Italian premier and ECB president’s call for massive EU investment is a wake-up call to Europe’s economic stagnation. But can the continent afford the trade-offs he overlooks? ...
Europe’s Digital Markets Act: Bold reform or stifling regulation?
10 September 2024 • by Ralf Boscheck in Governance
As the EU enforces the Digital Markets Act, tech giants face strict new rules aimed at curbing their dominance – but critics warn the move could stifle innovation and limit consumer choice....
Boards must prepare to deal with the unexpected
21 August 2024 in Governance
When navigating an increasingly complex external environment, boards should pay attention to the differences between risk and uncertainty....
Learn Brain Circuits
Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
Read more
Explore Leadership
What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
Read more
Join Membership
Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
Sign up