British Library avoids investigation over ransomware attack, praised again for response

The U.K. Information Commissioner’s Office (ICO) announced on Wednesday it would not be pursuing an investigation of the British Library following a cyberattack against the institution in October 2023.

It comes amid an ongoing drop in the number of investigations launched by the ICO into ransomware data breaches, down from a rate of almost 100% of all incidents in 2019/2020 to less than 4% of all incidents in 2024.

The privacy regulator said that having “carefully considered this particular case” it “decided that, due to our current priorities, further investigation would not be the most effective use of our resources.” The ICO has the power to issue monetary penalties or reprimands after an investigation.

The British Library — the national library of the United Kingdom and an archive of millions of books and manuscripts — has been praised for its response to the incident. Officials across government have wanted to avoid punishing victim organizations that responded to ransomware attacks in a way that meets the standards of best victim behavior.

In particular, the U.K.’s National Cyber Security Centre said the British Library “should be applauded” for refusing to pay an extortion fee, and particularly praised the institution for detailing its recovery process in an 18-page incident review published five months later.

The move to publish the review — in stark contrast to the secrecy which most organizations respond to ransomware attacks with — was widely acclaimed.

According to the ICO, the review “provided an overview of the cyberattack” and contributed to public understanding by including “key lessons learnt to help other organisations that may experience similar incidents.”

The British Library’s security failings — including a lack of multi-factor authentication on an administrator account — could have been seen as a breach of laws requiring companies to adequately protect their systems.

Instead of penalizing the library the ICO commended it “for being open and transparent about its system vulnerabilities that contributed to the incident, the impact it has had, and the improvements made so far to protect people’s personal information.”

The decision not to pursue an investigation marks out the British Library’s response in stark contrast to that by software company Advanced and solicitors firm DPP Law who were both recently fined after suffering cyberattacks.

On Wednesday, the ICO stressed: “Organisations must take proactive steps to assess and mitigate risks against cyber attacks, such as implementing comprehensive multi-factor authentication (or an equivalent measure), regularly scanning for vulnerabilities and keeping systems up to date with the latest security patches.”