A cyber attack on the digital systems of the British Library in London continues to affect its website, online systems and some onsite services with limited access to some publications and manuscripts. The so-called ransomware attack, which was launched on 31 October, is part of a recent pattern marking an increase in the severity of cyber attacks on critical infrastructure. The online attacks have affected cultural institutions such as the Metropolitan Opera in New York and the Natural History Museum in Berlin, and the data they hold, and has left others considering how best to defend themselves against future attacks.
The British Library attack was carried out by the Rhysida ransomware group, according to the BBC. Meanwhile The Financial Times reports that the hackers, who claim to have stolen user data and employee details, have released low-res images of British Library employees’ passports and opened an auction for an undisclosed set of documents at 20 bitcoin, equivalent to about £600,000. The attackers are also demanding a ransom for the return of that data.
A British Library spokesperson says the institution has confirmed this was a ransomware attack by a group known for such criminal activity. The Rhysida ransomware is offered as a service to criminal groups, which share profits with the owners. “We now have evidence that indicates the attackers might have copied some user data as part of the cyber attack, and some additional data appears to have been published on the dark web [part of the internet accessible through a special browser]," says a British Library statement.
Personal data theft
Asked if the library planned to pay the ransom, the spokesperson says: “I am afraid we’re unable to share further information at this stage as it is an ongoing investigation.” The British Library is continuing to work with the Metropolitan Police and professional cybersecurity advisers to examine the stolen material. Exhibitions at the library, including Malorie Blackman: The Power of Stories (until 25 February), remain open.
Users’ data has been compromised. “Our subsequent investigation showed that some personal data of library users was disclosed, which we immediately announced publicly,” the spokesperson says. “Since then we have been in direct contact with our users to alert them, and encouraged them to take sensible precautions to protect themselves from any consequences based on the advice from the National Cyber Security Centre.”
In a blog post (15 December), Roly Keating, the library's chief executive, wrote: "The Library itself remains a crime scene, with a forensic investigation of our disrupted network still ongoing. In parallel, our teams are examining and analysing the almost 600 gigabytes of leaked material that the attackers dumped online—difficult and complex work that is likely to take months."
He says that from early in the new year a phased return of certain key services will begin, starting with the most crucial component—the main catalogue—a reference-only version of which will be back online from 15 January, further facilitating the manual ordering which is available in the Reading Rooms. Other interim services will include increased on-site access to manuscripts and special collections. The library has also published a list of printed and online resources providing information about its ancient, medieval and early modern manuscripts.
The Art Newspaper asked UK museums whether they were prepared for a cyber attack. A British Museum spokesperson says the institution takes a broad range of measures to protect employees, visitors and the collection from such attacks, and would not comment on individual security arrangements. A Tate spokesperson says: “We never comment on our security systems.”
Ransomware attacks are increasing in severity and sophistication
Charles Finlay, the founding executive director of the Rogers Cybersecure Catalyst centre at Toronto Metropolitan University, says that ransomware attacks are increasing in severity and sophistication, and that many ransomware gangs are based in Russia and Iran. He adds: “It is difficult to tell the nature of this attack [at the British Library] but it is a symptomatic of a significant challenge globally to protect critical infrastructure from cybersecurity attacks.
“A ransomware attack is launched primarily for financial gain and can involve two ransom demands. The first may be demanded for the return of control of the digital systems. Another ransom may be demanded to keep secure the information [relating to the employees]. Organisations often pay the ransom.
“The British Library may have activated a breach response plan, retaining third-party experts to assess the scope of the attack and attempt to mitigate it, which could be the start of a long process to retain trust with stakeholders.”
Jiali Zhou, assistant professor in the Kogod School of Business at the American University, Washington DC, stresses that the attack highlights the vulnerability of public sector IT infrastructure. Public sector organisations often hold valuable data, making them very attractive targets for cybercriminals, he says.
Zhou adds: “In the case of public libraries, it can be particularly challenging to hold someone accountable for security breaches. Public libraries may also face budget constraints and limited resources, which can make it difficult for them to invest proactively in robust security measures unless they have already experienced prior security incidents.” He says the reported British Library ransom demand falls within the average range for such attacks.
The real mystery is perhaps why the British Library was targeted. Some commentators believe the attack to be largely symbolic. Writing for the technology news website The Register, the UK journalist Rupert Goodwins points out that as one of the world’s largest libraries, with 170 million items, the library is “emblematic” of public knowledge.
He says: “Its books may contain many secrets, but they’re open to researchers to find, interpret and publish—or they would be if the IT was working. It’s those researchers who are uniquely suffering now, with PhD students unable to finish their work before deadlines, and their professors unable to publish. Bad news, but hardly fatal and with minimal economic impact. Like many state, education and healthcare attacks, the intention seems to be as much disruption and bad publicity as enrichment.”
Keating added meanwhile: "Libraries, research and education institutions are being targeted, whether for monetary gain or out of sheer malice. Society more widely, and all of us as individuals need to be alert to this fast-evolving threat... The people responsible for this cyber attack stand against everything that libraries represent: openness, empowerment, and access to knowledge."
Culture under attack: knockout blows
Metropolitan Opera, New York
A serious cyber attack on the Metropolitan Opera in New York, the first in its 140-year history, left the largest performing arts organisation in the United States unable to sell tickets. “This attack froze everything,” Peter Gelb, the Met’s general manager, told The New York Times. “The teachable moment of this attack is that if someone wants to break into your system, it is hard to stop them.” Following the attack, Anthony Viti, a former employee, filed a lawsuit against the Met Opera claiming that it had failed to properly safeguard personal information. The Met says the case “has no merit”, although the outcome of the case remains unclear at present.
Toronto Public Library
Officials at Toronto Public Library announced on 28 October that hackers had stolen a large number of files from its servers. Officials said they were working with third-party cybersecurity experts to address the issue and had reported the breach to the Information and Privacy Commissioner of Ontario. A report has also been filed with Toronto Police Service. “We did not pay a ransom,” the officials stressed, adding that it is “unfortunate that data security and ransomware incidents are becoming increasingly common, and that public sector organisations including hospitals, schools and libraries—all dedicated to the betterment of the community—are being targeted”. Systems are expected to remain offline until next month.
Museum für Naturkunde Berlin
The Museum für Naturkunde Berlin (Natural History Museum) fell victim to a cyber attack that targeted large parts of its digital infrastructure. The museum says it has filed a complaint and that the Berlin State Criminal Police Office is investigating the hack. Emergency operation procedures put in place ensured that the museum’s most important services have continued to run smoothly. “This emergency operation will be gradually expanded,” say officials. The museum has not responded to a request for comment about whether normal services have resumed.