British Library cyber attack explained: What you need to know

What is the British Library?

As the national library of the UK, the British Library holds more than 170 million items. Its collections include not just books but drawings, journals and diaries, maps, newspapers and magazines, patents, postage stamps, scripts, and even sound and video recordings. The core of the British Library’s collection is formed from private libraries dating to the 17^th and 18^th centuries, and includes items owned by King George II and King George III. Other items in the collection date back well over a thousand years.

It is also a legal deposit library, which means that it receives a copy of every book published in both the UK and the Republic of Ireland, as well as overseas titles distributed in the UK. It is thought to add about three million new items every year, requiring vast amounts of new shelving.

Although its roots date back centuries, the organisation was officially created in 1973 under the British Library Act of 1972, prior to which it was run as part of the British Museum. These days, it is operated as a non-departmental body by the Department for Culture, Media and Sport (DCMS).

The British Library’s main site is located on Euston Road near St Pancras Station in central London. The Grade 1 listed building was designed by Colin St John Wilson and Mary Jane Long, and was opened in 1998 by Queen Elizabeth II. The organisation also maintains a second facility at Boston Spa in Yorkshire.

Although the British Library is not a normal library that lets you borrow books to take home, it is in all other regards a working library, and you are free to visit and access its collections on site, with reading rooms open to all, and use its vast resources for learning and research. Under normal circumstances, the British Library also hosts courses, events, exhibitions, schools programmes, and even offers business startup and scaleup support services.

What happened in the British Library cyber attack?

On 29 October 2023, the British Library disclosed via X, the website formerly known as Twitter, that it was experiencing an IT outage. Two days later, on 31 October, it confirmed that the disruption was due to a cyber attack, and said that it was investigating the incident with assistance from the UK’s National Cyber Security Centre (NCSC) and law enforcement.

Although the British Library was only able to share limited details at that stage, the fact that multiple systems appeared to have been pulled offline provided an immediate clue to the precise nature of the event, namely a ransomware attack. However, it took until mid-November for the British Library to confirm that this was indeed the case.

A few days later, the Rhysida ransomware gang claimed responsibility for the cyber attack and leaked internal human resources documents, possibly including scans of employee passports and employment contracts, on the dark web. The gang also started a week-long auction of data it claimed it had stolen, asking for 20 bitcoin – approximately £600,000 at the time – for the full dataset.

At the end of November, the British Library confirmed that user data had been stolen and leaked by Rhysida. Shortly after that, Rhysida published 573GB of data – about 90% of the total amount stolen, to its dark web leak site. This indicates that it had failed to find a buyer for the full dataset, and suggests that the British Library did not negotiate or cooperate with its demands – which is recommended best practice in a ransomware attack.

The data leaked by Rhysida includes almost 500,000 files, many of them stolen from the British Library’s customer relationship management (CRM) database. These files are understood to include the personal information of readers and visitors, including their names and email addresses, and in some cases postal addresses and telephone numbers. Fortunately, it does not appear to include any financial data.

Who are Rhysida?

The cyber criminal gang behind the cyber attack on the British Library is known as Rhysida. Rhysida, which is named after a type of centipede, first emerged in 2023 and operates as a ransomware-as-a-service (RaaS) gang, which means it sells access to its ransomware to affiliates in exchange for a cut of their profits. It is likely that an affiliate of the gang was behind the cyber attack on the British Library.

According to the United States’ Cybersecurity and Infrastructure Security Agency (CISA), Rhysida largely attacks targets of opportunity, and it has struck multiple sectors including education, government, healthcare, IT and manufacturing.

The Rhysida gang favours the exploitation of external-facing remote services to access its victims' networks, and it often uses valid credentials it has stolen to authenticate to internal VPN access points, allowing it to maintain a foothold.

It has often made use of a privilege escalation vulnerability in the Microsoft NetLogon remote protocol in its attack chains – this flaw is known as Zerologon and is tracked as CVE-2020-1472.

However there has been some speculation that the Rhysida ransomware gang was able to access the British Library’s systems via a vulnerability in its VMware ESXi virtual machine infrastructure, although this has not been confirmed to date.

What services were affected by the British Library cyber attack?

The technology systems affected by the Rhysida cyber attack on the British Library included its computer systems, website, phone network and public wireless network.

The IT disruption also prevented users from being able to access items held in the collection, although the British Library is operating a limited service in this regard and is able to offer items held in the general collection at St Pancras for perusal.

Onsite services such as access to its digital collection, and online access in its onsite Reading Rooms, are still unavailable, as is the British Library On Demand service.

Also suspended is the vital inter-library loan service, which helps libraries around the UK obtain books they don’t have on their shelves for readers who want them.

It has also suspended the Eccles Centre Visiting Fellowship programme for 2024 and 2025 – this scheme supports academics, authors, educators, journalists and researchers from all over the world, with fellowship awards of up to £3,000 to spend two to three weeks exploring the British Library’s collections relating to North and South America and the Caribbean.

A full breakdown of the currently suspended services can be found here.

The knock-on effects of the disruption have caused problems for thousands of readers, visitors and academics and researchers, who have struggled to gain access to the material they need for their work.

The attack also affected more than 20,000 published authors across the UK, who are eligible to receive money under the Payment Lending Rights (PLR) scheme, which oversees payments made to writers whenever their works are borrowed from any public library in the UK and is run by the British Library.

The PLR scheme pays out up to £6,600 per person per annum, and many lesser-known authors rely on it to top up their earnings, but those affected also include some of the most famous authors writing today, such as JK Rowling and Richard Osman.

What should I do if I was affected by the British Library cyber attack?

If your data was included in the Rhysida leak, the British Library should by now have contacted you via email to inform you of this. It will reach out again should it find any further specific information has been compromised.

Due to the ongoing outage, users cannot currently change the password they use to access British Library services. However, if you have used the same password on any other service, you should change it immediately. You should also be more alert than usual to suspicious emails, and strange offers that seem too good to be true – they may be from cyber criminals trying to defraud you.

The NCSC provides a wealth of advice on staying safe online and guidance on creating safe and strong passwords. It also offers guidance for individuals who have become caught up in a data breach. If you are concerned your data may have been compromised, you can contact the British Library’s data protection officer at [email protected].

Who is to blame for the British Library cyber attack?

Ultimately, the investigation may reveal what exactly happened to the British Library, and how the Rhysida gang was able to cause so much havoc, but these details may not become public for a long time, and we may never know what or who was at fault. Even if a staff member did make a mistake, they deserve support and understanding, not blame – anybody can fall victim to a cyber attack at any time.

It is important to remember that experiencing a cyber attack is traumatic for everyone involved, and that the British Library’s staff are working extremely hard to mitigate the impact to users and restore their services. They will hugely appreciate your support and patience as they do this.

If fault is established, it is, however, possible that the British Library as an organisation may face regulatory penalties from the Information Commissioner’s Office (ICO).

Unfortunately, it is unlikely that the members or affiliates of the Rhysida ransomware gang who carried out the cyber attack will ever be caught or face justice.

When will the British Library recover from the cyber attack?

The British Library does expect that it will be able to restore more services during January and February of 2024, but has warned that disruption to some of its operations may persist for months to come, possibly until the autumn or even longer.

As of Monday 15 January, it had restored access to its online catalogue, which contains information on over 36 million printed books and journals, rare items, maps, music scores, newspapers, and freely-available online content. Although users wishing to use the catalogue must follow a somewhat different process to the one they have been used to for the time being, this is a major step in the recovery process as it enables some semblance of normality for users, and has been widely welcomed.

Meanwhile, the British Library continues to collaborate with London’s Metropolitan Police, private cyber forensics teams, and the NCSC to recover its services.

It has now been estimated that the cost of recovering the British Library’s IT systems from the Rhysida cyber attack could be as high as £7m, which represents about 40% of its unallocated cash reserves. The British Library has stated that it believes such estimations to be premature. It is working with its government sponsor, the Department for Culture, Media and Sport (DCMS) to ensure its recovery takes place on a secure, financially-sustainable basis.

Roly Keating, the British Library’s chief executive, said: “Although this kind of attack was something we had prepared for and rehearsed, and had taken steps to guard against, it was no less of a shock when it happened.

“It is our purpose to provide access to a collection of 170 million items – open to all and free at the point of use, for research, inspiration and enjoyment – and we found ourselves, that first weekend, at the receiving end of a smash-and-grab operation, and a crude attempt at extortion.

“The people responsible for this cyber attack stand against everything that libraries represent: openness, empowerment, and access to knowledge.”

Keating added: “We know that the journey to full recovery will be a long one, but the weeks since the cyber attack have demonstrated to me in abundance the expertise, energy and commitment to public service of our staff.

“This experience has also revealed the incredible understanding and generosity of our vast national and international community of users, supporters and partner institutions, who have patiently kept faith with us as we have navigated this unprecedented challenge. On behalf of all of us at the British Library – thank you.”