Cyber Incident Victim: British Library
Date:
Oct 2023
Location:
United Kingdom
Summary
A ransomware attack by the Rhysida gang compromised the institution's network through a Terminal Services server lacking multi-factor authentication, enabling data exfiltration of approximately 600GB containing staff and user personal information, later auctioned on the dark web. Attackers encrypted and destroyed critical infrastructure, causing extensive IT outages that disrupted online catalogues, research services, and digital collection access for months, though physical locations remained operational. Recovery required rebuilding legacy systems with modernized infrastructure, as obsolete applications couldn't be restored, while cloud-based finance and payroll systems remained unaffected. The incident highlighted vulnerabilities from complex legacy networks and insufficient access controls, prompting accelerated infrastructure renewal and enhanced security measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 28, 2023, the British Library experienced a major ransomware cyber-attack claimed by the Rhysida criminal gang, first detected when staff could not access the network at 07:35. Forensic investigations revealed hostile reconnaissance activities beginning three days earlier, with unauthorized network access detected at 23:29 on October 25. The attackers likely exploited a Terminal Services server installed in February 2020 to facilitate third-party access, which lacked multi-factor authentication despite other security measures like firewalls and vulnerability scans. Initial alerts of suspicious activity on October 26 were investigated but not escalated as malicious at the time. Rhysida exfiltrated approximately 600GB of data—including staff and user personal information, finance records, and marketing databases—before encrypting or destroying servers to inhibit recovery. Jisc detected 440GB of abnormal data traffic leaving the library’s network at 01:30 on October 28, coinciding with the data theft. The library refused ransom demands, leading Rhysida to auction the stolen data on the dark web by late November.
The attack crippled most online systems, forcing the closure of the library’s website, digital catalogues, and research services like e-resources, inter-library loans, and non-print legal deposit access. Physical sites remained open with manual workarounds, but reading room operations were restricted to 50% of physical collections, while digital preservation backups required validation before restoration. Critical cloud-based systems for finance, payroll, and email remained functional. A Rebuild & Renew programme launched in December 2023 prioritized infrastructure modernization, migrating legacy applications to secure cloud environments, and implementing network segmentation, multi-factor authentication, and enhanced monitoring. Forensic analysis confirmed the attackers’ methods included targeted data harvesting, keyword-based file searches, and database backups using native utilities. The library’s complex legacy infrastructure—rooted in merged collections and outdated network designs—amplified the attack’s impact, delaying full recovery until mid-April 2024. Staff morale suffered due to service disruptions and personal data exposure, mitigated partly through credit monitoring services. The Information Commissioner’s Office investigated the breach, while the library maintained compliance with regulatory notifications and user communications via social media and direct outreach.