The British Library in London
Image: Joyofmuseums via Wikimedia Commons (CC BY-SA 4.0)

British Library says ransomware hackers stole data from HR files

The British Library — one of the largest libraries in the world and the national library of the United Kingdom — said the ransomware gang behind a recent attack on its systems appeared to leak data stolen from its human resources files.

For nearly a month, the library has faced a range of technological issues related to a cyberattack and last week confirmed that it was dealing with a ransomware incident.

The library first announced technological issues in October after the attack took down its website, phone lines and technology services at branches in London and Yorkshire. Digital collections were also down, but the library was still open and able to accept cash payments only.

On Monday, the library said it was still dealing with major technology outages as a result of the cyberattack and that their website, online systems, services and onsite services were still affected.

They plan to restore systems over the next few weeks but warned that disruptions “may persist for longer.”

On Monday, the Rhysida ransomware gang took credit for the attack, giving bidders seven days to spend at least 20 Bitcoin — or about $750,000 — for exclusive access to the data.

The library confirmed that it was aware the data stolen from its systems had been leaked.

“This appears to be from our internal HR files. We have no evidence that data of our users has been compromised. However, if you have a British Library login and your password is used elsewhere, we recommend changing it as a precautionary measure,” they said.

“In the meantime, we’ve taken targeted protective measures to ensure the integrity of our systems, and we’re continuing to investigate the attack with the support of [National Cyber Security Centre], the Metropolitan Police and cybersecurity specialists. Thank you for bearing with us during this investigation.”

The library’s buildings are still open and books can still be taken out physically. Transactions are still cash-only.

The library holds more than 170 million items from across the world and has several locations across the United Kingdom.

The Rhysida ransomware gang – named after centipedes – first emerged in late May 2023 and has already claimed major attacks on government institutions in Portugal, the Dominican Republic, Kuwait, Chile and the Caribbean island of Martinique.

The gang drew headlines in the U.S. for its devastating attack on Prospect Medical Holdings – which operates 16 hospitals in several states and was forced to redirect ambulances as a result of the incident.

Last week, the top cybersecurity agencies in the U.S. released an advisory on the gang’s operations warning that it has “predominantly been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023.” The advisory cites several cybersecurity reports drawing links between the gang and another ransomware operation named Vice Society.

Libraries can be prime targets for hackers because disruptions to digital services cause frustration for the public and the facilities maintain troves of information about users.

Toronto library system hit

The cyberattack on the British Library came days after an attack on Toronto Public Library — Canada’s largest public library system serving more than 1.2 million members with more than 12 million items spread across 100 branches.

Last week, the Toronto Public Library also confirmed it had been hit with ransomware, writing in a notice on a temporary website that it is working with cybersecurity experts and has reported the incident to the Information and Privacy Commissioner of Ontario as well as the Toronto Police Service.

“Regrettably, the criminals that compromised our network did steal a large number of files from a file server. We did not pay a ransom. We are aware that stolen data connected to this incident may be published on the dark web, which is part of the internet that is not accessible except through a special browser. We are currently evaluating the affected data and can share some preliminary conclusions,” they said.

“At this point in our investigation, we believe current and former staff employed by Toronto Public Library (TPL) and the Toronto Public Library Foundation (TPLF) from 1998 are impacted. Information related to these individuals was likely taken, including their name, social insurance number, date of birth and home address. Copies of government-issued identification documents provided to TPL by staff were also likely taken.”

The organization said cardholder data was not accessed but some customer, volunteer and donor information was exposed. They are still working to figure out who is affected and how.

Toronto Public Library pledged to offer victims two years of free credit monitoring services.

BleepingComputer reported that the attack on Toronto Public Library was caused by the Black Basta ransomware gang.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.