British Library hailed by UK cyber agency for its response to ransomware attack

The interim head of Britain’s National Cyber Security Centre (NCSC) said the British Library “should be applauded” for refusing to pay an extortion fee to the criminals behind a ransomware attack last year.

The British Library — the national library of the United Kingdom and an archive of millions of books and manuscripts — was hit by an initially unspecified attack last October, although internally the cause was known to be ransomware.

The nature of the attack became public when the Rhysida gang subsequently claimed credit and attempted to sell the library’s stolen personnel data.

A wide range of services across the library were shuttered by the incident, including access to its online catalog — described as “one of the most important datasets for researchers around the world” by the library’s chief executive, Sir Roly Keating.

Although there are secure copies of all of the items in this catalog, the attack left the majority of the library’s digital infrastructure unusable. Recovery is still ongoing five months later, with the infrastructure rebuild expected to be complete by mid-April, at which point the library will begin restoring its systems in a phased manner.

The library detailed its recovery process in an 18-page incident review earlier this month. The move to publish the review — in stark contrast to the secrecy which most organizations respond to ransomware attacks with — was widely acclaimed.

In a letter published Sunday by The Guardian newspaper, the NCSC’s interim chief executive, Felicity Oswald, wrote: “By responding to its attack in the transparent way that it has, the library has set a great example. We encourage all organisations to read its instructive review.”

Oswald — who is heading the agency while the search continues for Lindy Cameron’s replacement — warned that every extortion payment made “gives criminals the message that attacks work and that it’s worth doing again,” and applauded the decision not to pay.

She also hailed the incident review, which provides “a detailed timeline of when and how the attack took place, including a suspected instance of hostile reconnaissance a few days before the major ransomware attack of Saturday 28 October.”

The review identifies what the likely point of entry was and is explicit as to where the British Library’s existing security measures fell short, “in spite of the routine use of security assessments including penetration tests where appropriate.”

It also credits the NCSC for providing “early advice on incident handling, including communications strategy.” This guidance meant the British Library “sought to keep users, staff and stakeholders updated about what was happening without sharing detail that could aid the attackers.”

The NCSC, in a blog post titled “more transparency around cyber attacks is a good thing for everyone,” says it has “extensive communications support available” for victims to help them “navigate the incident and to manage media coverage and active communications.”

“We encourage organisations to be open when an incident happens, but ultimately, it’s your choice, and we will support you either way,” the agency states.

Leicester City Council, another publicly funded organization in Britain, has this month also confirmed being hit by an unspecified cyberattack. The leader of Redcar and Cleveland Council told a parliamentary inquiry last year that she had been pressured to keep quiet about an attack that disrupted services there in 2020.

Disruptive cyberattacks affecting local authorities have surged according to security incident trends data released by the Information Commissioner’s Office, with 67 ransomware attacks recorded in the first three quarters of 2023 compared to 13 during the whole of 2022.

Last week, the British government was accused by a parliamentary committee of taking the “ostrich strategy” by burying its head in the sand over the “large and imminent” national cyber threat posed by ransomware. The committee had previously warned that the government’s failures to tackle the threat meant there was a “high risk” the country faces a “catastrophic ransomware attack at any moment.”