UPDATE: The British Library and Toronto Public Library are still recovering from ransomware cyber attacks which caused massive disruption of services and highlighted weaknesses in their IT systems

Two of the world’s largest libraries, The British Library and the Toronto Public Library, were both victims of massive cyber attacks which disabled their computer systems and held them for ransom in October 2023.

The British Library is the national library of the UK with holdings of over 170 million items including books, newspapers, maps, sound recordings, patents and stamps. On Oct. 28th it was hit with a massive cyberattack by Rhysida, a hacker group.

A ransom of 20 bitcoin (around £596,000 = $754,000) was demanded to restore services and return the stolen data. The attack led to many of the Library's core systems remaining unavailable for months. When it became clear that the library would not comply with the ransom demand, the attackers auctioned 573GB of employees' personal data on the dark web.

The site reports that the Library is continuing to experience a major technology problem: “Our buildings are open as usual, however, the outage is still affecting our website, online systems and services, as well as some onsite services. This is a temporary website, with limited content outlining the services that are currently available, as well as what's on at the Library.”

On March 8, 2024 the Library issued an 18-page review including an Executive Summary and a detailed section on "Lessons Learned" from the event. (Link to full report read it here)

That section (pages 17-18) lists sixteen main points. Among the ones stressed by the library and outside commentators familiar with the situation were: antiquated “legacy” systems, an over-reliance on outsourced tech support, the failure to develop and compensate its own in-house IT expertise, the need for increased security precautions, as well as a greater emphasis on fast recovery after a security breach.

The document pointed out: “A significant part of the national collection, across multiple institutions, now exists in digital form – in some cases digital-only – and we all have a vital interest in ensuring that this vast and growing national asset is protected from increasingly sophisticated and destructive cyber-attacks."

It also focused on the need for cyber-risk awareness, especially at the upper levels of the organization, specifically: “All senior officers and Board members need to have a clear and holistic understanding of cyber-risk, in order to make optimal strategic investment choices. Current risks and mitigations should be frequently and regularly discussed at senior officer level. The recruitment of a Board member or Board-level adviser with cyber expertise is strongly recommended.”

Likewise, last year the Toronto Public Library (TPL), the largest public library system in Canada with 100 branches and over 26 million items in its collection, was also the target of a ransom cyber-attack in October 2023 which caused massive disruption and revealed similar weaknesses in the way information technology and data security is handled.

A January 2024 article in Library Journal reported that, “Although TPL managed to keep all of its 100 branches open and host programs throughout the ordeal, patrons were unable to access their library accounts online or use the library’s computers for more than two months. And while TPL has also continued to manually check out print books and other physical materials, the library has been unable to process holds or check the materials back in when they are returned.

“We’ve got twelve 53-foot tractor trailers filled with returns—well over a million items,” Toronto’s City Librarian Vickery Bowles told LJ in early January 2024. “Ransomware is becoming so pervasive, and it’s affecting organizations dedicated to community well-being such as hospitals, schools, and libraries, of course. I really feel that public sector organizations are becoming targets.”

The Toronto Star reported the library system was the victim of Russian cyber extortion group Black Basta, which demanded a $10 million ransom.

According to the Library Journal story, TPL did not pay the ransom.

“We didn’t for a number of reasons, not the least of which is just by paying a ransom you’re funding and fostering further criminal activity,” Bowles said. In addition, law enforcement agencies note that there is no guarantee that the criminals will provide the key to unencrypt an institution’s files once the ransom is paid or refrain from attacking a victim again.

“Instead, TPL immediately shut down their systems, notified the city of Toronto and its cybersecurity team, the Toronto Police, and the Royal Canadian Mounted Police. TPL also began working with outside legal counsel with expertise in cybersecurity and a separate cybersecurity company to conduct a forensic analysis of the attack.”

In Feb. 2024 TLP issued a final report which, though not as detailed as the one from the British Library, stressed the need for improved cybersecurity policies, immediate access to appropriate tech support when a breach occurs, and rebuilding of their network.

In other media reports it appears that TLP is still not certain how much of its employee and patron data was compromised.

A long article on the cyber attack on the British Library was published in the New Yorker in Dec. 2023