London - Euston Road - Entrance Gate British Library - View NNW towards Newton Statue

In October 2023,

Rhysida ''Rhysida'' is a large genus of Scolopendromorph centipedes in the subfamily Otostigminae. It is the second largest genus in the subfamily Otostigminae, with species found in the Neotropics, Indo-Malaya, and Africa. It shares some morphologica ...

, a

hacker group Hacker groups are informal communities that began to flourish in the early 1980s, with the advent of the home computer. Overview Prior to that time, the term ''hacker'' was simply a referral to any Hacker (hobbyist), computer hobbyist. The hacker ...

, attacked the online information systems of the

British Library The British Library is the national library of the United Kingdom. Based in London, it is one of the largest libraries in the world, with an estimated collection of between 170 and 200 million items from multiple countries. As a legal deposit li ...

. They demanded a ransom of 20

bitcoin Bitcoin (abbreviation: BTC; Currency symbol, sign: ₿) is the first Decentralized application, decentralized cryptocurrency. Based on a free-market ideology, bitcoin was invented in 2008 when an unknown entity published a white paper under ...

, at the time around , to restore services and return the stolen data. When the British Library did not acquiesce to the attempt, Rhysida publicly released approximately 600GB of leaked material online. It has been described as "one of the worst cyber incidents in British history". The main catalogue returned online on 15 January 2024 in a read-only format, although some of the library's services are expected to remain unavailable for months. The British Library will use about 40 percent of its financial reserves, around £6–7 million, to recover from the attack.

Background

The

is a

non-departmental public body In the United Kingdom, non-departmental public body (NDPB) is a classification applied by the Cabinet Office, Treasury, the Scottish Government, and the Northern Ireland Executive to public sector organisations that have a role in the process o ...

which in 2023 held around 14 million books, as well as millions of other items. It is the largest library in the United Kingdom. The Library was protected by firewalls and

antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...

but was not using

multi-factor authentication Multi-factor authentication (MFA; two-factor authentication, or 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence ...

(MFA), and had installed a new Terminal Services server in February 2020 to facilitate remote access to third-party providers and internal IT administrators during the

COVID-19 pandemic The COVID-19 pandemic (also known as the coronavirus pandemic and COVID pandemic), caused by severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2), began with an disease outbreak, outbreak of COVID-19 in Wuhan, China, in December ...

; this was the server on which unauthorised access was first detected during the attack. In 2020, the lack of MFA on the server was raised as a risk; a Library report later stated that "the possible consequences were perhaps under-appraised".

is a

and "

ransomware as a service Ransomware as a service (RaaS) is a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical ...

" provider already known for its attacks on vital infrastructure such as schools, hospitals and government agencies, having become known to

intelligence services An intelligence agency is a government agency responsible for the collection, analysis, and exploitation of information in support of law enforcement, national security, military, public safety, and foreign policy objectives. Means of info ...

in May 2023. It had previously attacked the

Chilean Army The Chilean Army () is the land arm of the Chilean Armed Forces. This 80,000-person army (9,200 of which are conscripts) is organized into six divisions, an army aviation brigade and a special operations brigade. In recent years, and after sever ...

, a medical research lab in Australia, and health-care company

Prospect Medical Holdings Prospect Medical Holdings is a private healthcare company based in Los Angeles, California which operates 16 hospitals in the United States, mainly in California and the Northeastern United States. History Prospect was founded in 1996 by a ...

. The British Library attack was part of a larger pattern of

cyberattack A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content. The rising dependence on increasingly complex and inte ...

s at this time against cultural institutions. These attacks had previously affected the

Metropolitan Opera The Metropolitan Opera is an American opera company based in New York City, currently resident at the Metropolitan Opera House (Lincoln Center), Metropolitan Opera House at Lincoln Center, situated on the Upper West Side of Manhattan. Referred ...

New York City New York, often called New York City (NYC), is the most populous city in the United States, located at the southern tip of New York State on one of the world's largest natural harbors. The city comprises five boroughs, each coextensive w ...

and

Natural History Museum A natural history museum or museum of natural history is a scientific institution with natural history scientific collection, collections that include current and historical records of animals, plants, Fungus, fungi, ecosystems, geology, paleo ...

Berlin Berlin ( ; ) is the Capital of Germany, capital and largest city of Germany, by both area and List of cities in Germany by population, population. With 3.7 million inhabitants, it has the List of cities in the European Union by population withi ...

Timeline of events

2023

* 28 October: At 9:54 a.m. GMT, The British Library states on

Twitter Twitter, officially known as X since 2023, is an American microblogging and social networking service. It is one of the world's largest social media platforms and one of the most-visited websites. Users can share short text messages, image ...

that it is experiencing "technical issues affecting our website". By midmorning, issues include a public

Wi-Fi Wi-Fi () is a family of wireless network protocols based on the IEEE 802.11 family of standards, which are commonly used for Wireless LAN, local area networking of devices and Internet access, allowing nearby digital devices to exchange data by ...

outage and non-functional online catalogue. * 29 October: The Library announces on

that it is experiencing a "technology outage". * 30 October: The Library reopens after the weekend "in a pre-digital state", according to ''

The New Yorker ''The New Yorker'' is an American magazine featuring journalism, commentary, criticism, essays, fiction, satire, cartoons, and poetry. It was founded on February 21, 1925, by Harold Ross and his wife Jane Grant, a reporter for ''The New York T ...

''. Its website, phone lines, ticket sales, reader registrations, and card transactions are non-functional. Deliveries from the Library's

Boston Spa Boston Spa is a village and civil parish in the Leeds Metropolitan District in West Yorkshire West Yorkshire is a Metropolitan counties of England, metropolitan and Ceremonial counties of England, ceremonial county in the Yorkshire and th ...

site are put on hold. * 31 October: The Library confirms publicly that the outage is the consequence of a cyberattack. It launches an investigation alongside the National Cyber Security Centre (NCSC) and other

cybersecurity Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and networks from thr ...

specialists. * 16 November: An attempt at digital extortion, also known as a ransomware attack, is confirmed by the Library. * 20 November: Rhysida claims responsibility for the breach and launches a week-long auction for 490,191 files of data on the

dark web The dark web is the World Wide Web content that exists on darknets ( overlay networks) that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communica ...

, opening bidding at 20

, at the time equivalent to about , for a single buyer. It sets the auction deadline to 8 a.m. GMT on 27 November and advertises it with low-resolution images which appear to show

HM Revenue and Customs His Majesty's Revenue and Customs (commonly HM Revenue and Customs, or HMRC, and formerly Her Majesty's Revenue and Customs) is a department of the UK government responsible for the collection of taxes, the payment of some forms of stat ...

documents,

employment contract An employment contract or contract of employment is a kind of contract used in labour law to attribute rights and responsibilities between parties to a bargain. The contract is between an "employee" and an "employer". It has arisen out of the old m ...

s and

passport A passport is an official travel document issued by a government that certifies a person's identity and nationality for international travel. A passport allows its bearer to enter and temporarily reside in a foreign country, access local aid ...

information. It claims the data is "exclusive, unique and impressive". The Library states that the leaked data appears to be from its internal

human resources Human resources (HR) is the set of people who make up the workforce of an organization, business sector, industry, or economy. A narrower concept is human capital, the knowledge and skills which the individuals command. Similar terms include ' ...

files. * 27 November: Rhysida makes 90 percent of the stolen data, approximately 600 GB, freely available for anyone on the

to download after the British Library refuses to pay the ransom.

2024

* 5 January: The Financial Times reports that the Library would use around 40 percent of its financial reserves to recover from the attack, estimated at around £6–7 million. * 10 January: The Library announces that some of its services will return online from 15 January, with access stated by

Roly Keating Sir Roland Francis Kester Keating (born 5 August 1961) is a British executive who was chief executive of the British Library from September 2012 to December 2024. Early life and education Keating was born on 5 August 1961 to Donald Norman Keati ...

, chief executive of the Library, to be "slower and more manual" than before the attack. Keating apologises that "for the past two months researchers who rely for their studies and in some cases for their livelihoods on access to the library's collection have been deprived of it". * 15 January: The British Library's main online catalogue is restored in a read-only format. Users are able to search the main catalogue, but the process of checking availability and ordering items is different. Access to key special collections is restored but for in-person visits only. * 8 March:

authors a blog post to the British Library website announcing the availability of a report that "gives a description and timeline of the attack, to the best of our current understanding, and its implications for the Library’s operations, future infrastructure and risk assessment." The report announced that it was undertaking a "Rebuild & Renew" scheme "to ensure its future ability to respond to incidents of a similar scale in a consistent and structured way", including a "considerable shift" away from on-site technologies and onto the

cloud In meteorology, a cloud is an aerosol consisting of a visible mass of miniature liquid droplets, frozen crystals, or other particles, suspended in the atmosphere of a planetary body or similar space. Water or various other chemicals may ...

. * 30 July: Library announces that remote ordering of physical media for delivery to the Reading Rooms will be available by September 2024. Digital versions of historically significant manuscripts will be re-released incrementally beginning in September, based on a "prioritised list of manuscripts based on criteria including the items that were most requested prior to the cyber-attack and items to which Reading Room access is restricted." Educational websites, and digital academic journals, will also be restored before the academic year 2024–25, to the extent possible. Digital ordering of items in the Automated Storage Building is expected to go back online in August 2024.

Attack methods

The Library stated that the attackers probably used a

phishing Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticate ...

spear-phishing Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticate ...

brute-force attack In cryptography, a brute-force attack or exhaustive key search is a cryptanalytic attack that consists of an attacker submitting many possible keys or passwords with the hope of eventually guessing correctly. This strategy can theoretically be ...

facilitated by a compromise of third-party credentials as well as a lack of use of multi-factor authentication by third-party contractors. After gaining access, Rhysida used three methods to identify and copy the 600GB of documents during the attack, including personal details of Library users and staff. These were: # A targeted attack that copied full sections of network drives of the Library's Finance, Technology and People teams, which made up 60% of all content copied. # A keyword attack which scanned for files and folders that used sensitive keywords in their names, including 'passport' or 'confidential', which constituted 40% of the copied data and included files from corporate networks and personal drives used by staff. # A hijacking of native utilities, which were then used to forcibly create backup copies of 22 databases of data including contact details of external users and customers. Furthermore, Rhysida and its affiliates destroyed servers to inhibit system recovery and

forensic analysis Forensic science combines principles of law and science to investigate criminal activity. Through crime scene investigations and laboratory analysis, forensic scientists are able to link suspects to evidence. An example is determining the time and ...

Impact

While the process of calculating the full financial impact of the attack is ongoing, there were a number of impacts to the functioning of the library following the attack. These include: * Library items from its

branch could not be transferred to the London site. * Around 20,000 writers, illustrators and translators who usually received Public Lending Right payments from borrowed books had their payments delayed. * The Library's 2024–25 visiting fellowship programme was suspended. * The computerised catalogue was offline for months, with partial restoration in January 2024. * The

EThOS ''Ethos'' is a Greek word meaning 'character' that is used to describe the guiding beliefs or ideals that characterize a community, nation, or ideology; and the balance between caution and passion. The Greeks also used this word to refer to the ...

collection of British doctoral theses remained offline as of 19 December 2023. * An estimated £6–7 million in costs to recover from the attack. * As of 4 November 2024, British Library electronic resources web pages redirect to a page with the statement, "We're continuing to experience a major technology outage as a result of a cyber-attack. Our buildings are open as usual, however, the outage is still affecting our website, online systems and services, as well as some onsite services. This is a temporary website, with limited content, which outlines the services that are currently available, as well as what's on at the Library."

References

{{Authority control 2023 in the United Kingdom British Library 2023 in computing 2023 crimes in the United Kingdom Crime in the London Borough of Camden Cyberattacks Cybercrime in the United Kingdom Data breaches Hacking in the 2020s October 2023 crimes in Europe October 2023 in the United Kingdom Ransomware 2023 disasters in the United Kingdom