Cyber Incident Victim: Newport News Public Library

On April 25, 2023, the Newport News Public Library system experienced a significant disruption to its online services and public computing infrastructure. The incident was publicly characterized as an attempted cyber attack. This event resulted in the library taking its website and public access computer systems offline to contain the potential threat and initiate a response. The decision to disconnect these systems was a precautionary measure taken to prevent any potential escalation of the incident and to protect library patron data and the integrity of the library's network. The library's physical branches remained open to the public for standard operations such as borrowing physical materials, though all services reliant on internet access or computer systems were unavailable.

The immediate impact of taking these systems offline was a complete cessation of digital services. Patrons were unable to access the library's website to search the catalog, place holds on items, access their accounts, or utilize digital resources such as eBooks, audiobooks, and online databases. The public computers and printing services available within library branches were also rendered inoperable, directly affecting patrons who rely on these services for internet access, job applications, and other essential tasks. The Wi-Fi networks provided by the library were taken down as part of the containment strategy, further limiting connectivity options for visitors. This widespread outage represented a substantial interruption to the library's mission of providing free and open access to information and technology for its community.

In response to the incident, library administration engaged with external cybersecurity experts to assist in investigating the nature and scope of the attempted attack. This involved a forensic analysis of the affected systems to determine if any unauthorized access had been achieved, if any data had been exfiltrated, or if any malicious code, such as ransomware, had been deployed. The investigation focused on understanding the attack vectors employed by the threat actors and assessing the full extent of the compromise. The library's Information Technology team worked concurrently to clean, rebuild, and reinforce systems to ensure they could be brought back online safely without the lingering threat of malicious software or backdoors.

Communication with the public was maintained throughout the outage. The library utilized its social media channels, particularly Facebook, to provide ongoing updates regarding the status of its systems and services. These updates informed patrons of the ongoing technical issues, the continued closure of online services, and the estimated timeline for restoration. This transparent approach was aimed at keeping the community informed and managing expectations during a period of significant service disruption. The library's administration also likely engaged with local government officials and law enforcement, including possibly the FBI, as is standard protocol for addressing cyber incidents involving public infrastructure, though specific details of such engagements were not disclosed publicly.

The process of restoring services was methodical and prioritized security. Systems were only brought back online after being thoroughly scanned and verified as clean. The library's website and catalog were among the first services to be restored, followed by public access computers and Wi-Fi networks. The restoration occurred progressively over a period of several days following the initial incident on April 25th. Each phase of the restoration was tested to ensure stability and security before being made available to the public. The primary consequence of the incident was a multi-day loss of critical digital services for the community, highlighting the library's dependence on its technological infrastructure.

While the incident was termed an "attempted" cyber attack, the necessary response actions mirrored those of a successful breach. The library incurred costs associated with engaging third-party cybersecurity consultants, dedicating internal staff hours to the response and recovery effort, and potentially implementing enhanced security measures post-incident. The operational impact included a temporary reduction in the library's ability to serve its patrons fully, particularly those who depend exclusively on the institution for computer and internet access. There was no public disclosure or evidence suggesting that any patron personal identifiable information, financial data, or library records were accessed or stolen during the event. The focus remained on the disruption of services rather than a confirmed data breach.

The incident underscored the vulnerability of public institutions to cyber threats and the importance of having robust incident response plans. The library's decision to immediately disconnect affected systems was a key containment action that may have prevented a more severe outcome. The engagement of external experts provided the necessary expertise to conduct a thorough investigation and guide the recovery process. The prolonged outage demonstrated the significant role public libraries play in providing digital equity and the community-wide impact when such services are interrupted. The restoration of all services marked the conclusion of the active incident response phase, though post-incident reviews and potential security enhancements would have continued thereafter.