Cyber Incident Victim: The Agency
Date:
Feb 2025
Location:
United Kingdom
Summary
A UK book printer and a London literary agency suffered ransomware attacks, causing significant operational disruptions and financial impacts. The printer's systems were disabled, forcing clients to seek alternative printing solutions at higher costs, with one publisher reporting profits wiped out on key orders. The agency's attack was claimed by the Rhysida ransomware group, which exfiltrated data and threatened public release unless paid; affected individuals were alerted to potential data exposure. Both organizations engaged cybersecurity specialists and initiated recovery efforts, with the printer gradually restoring services and the agency collaborating with law enforcement to investigate the breach. Rhysida has previously targeted high-profile institutions, employing anti-forensic techniques to obscure their activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 7, 2025, CPI, the UK’s largest book printing group operating across nine factories, experienced a disruptive cyber attack that disabled its UK IT systems in the early hours. The incident forced immediate operational shutdowns, halting production of approximately 160 million annual book outputs along with journals and loose-leaf products. Initial forensic analysis confirmed a ransomware attack despite existing network protections. CPI engaged external technical specialists and internal teams to develop workarounds while attempting system recovery, estimating gradual service restoration over subsequent days. Concurrently, London-based literary agency The Agency suffered a separate ransomware attack attributed to the Rhysida cybercrime group, known for targeting the British Library in 2023. Rhysida deployed malware that encrypted The Agency’s data files, causing significant IT outages, and threatened to publish stolen client data unless paid a ransom. The group employed anti-forensic techniques to obscure their activity, complicating efforts to determine data exfiltration scope.
The attacks caused immediate financial and operational consequences. CPI clients including Firefly Press reported profit losses from emergency re-routing of print jobs to alternative providers at higher costs, with one order’s profits entirely eliminated. Firefly faced stock shortages of existing titles and production delays for March releases. The Agency notified clients that personal data might have been copied, advising vigilance against phishing while collaborating with cybersecurity experts and the Metropolitan Police cybercrime unit to investigate. Neither organization confirmed ransom payments, though CPI prioritized system restoration and customer communication while The Agency implemented additional protective measures. The British Library’s £6 million recovery cost from Rhysida’s 2023 attack underscored potential long-term impacts. Both incidents disrupted UK publishing workflows, with CPI’s scale affecting numerous publishers competing for alternative printing capacity amid ongoing recovery efforts.