The attack
On 28 October 2023, it became clear that the British Library had been hit by a ransomware attack that compromised most of its online systems. The attack, claimed by the Rhysida ransomware gang, exfiltrated data, encrypted or destroyed substantial portions of the Library’s server estate, and forcibly locked out all users from the network.
Forensic analysis indicates the attackers likely first gained access at least three days before the incident became apparent, conducting initial reconnaissance of the network. The exact point of entry could not be definitively determined, but a terminal server used for remote access by trusted partners is believed to be the source. The lack of multi-factor authentication on this server is thought to have contributed to the attackers’ ability to gain entry.
The attackers exfiltrated approximately 600GB of data – nearly 500,000 files – many from the Library’s CRM (Customer Relationship Management) database, including personal data of Library users and staff. They used targeted attacks to copy records wholesale from certain departments, as well as keyword searches to identify potentially sensitive files across the network. Multiple databases were also compromised but financial data appeared to be absent from the leak.
A few days after the attack, the Rhysida gang leaked internal HR documents on the dark web, potentially including employee passport scans and contracts. The hackers then initiated a week-long auction for the stolen data, demanding 20 bitcoin (about £600,000) for the full dataset.
Subsequently, Rhysida published 573GB of data – roughly 90% of the total stolen – on their dark web site. This suggests they failed to sell the full dataset and indicates the Library didn’t negotiate or comply with their demands, aligning with best practices for ransomware attacks.
In addition to data theft, the attackers encrypted data and systems and destroyed some servers, severely hampering the Library’s ability to recover its infrastructure. While secure backups of digital collections and metadata existed, the lack of viable infrastructure on which to restore this data was a major obstacle to recovery.