Learning Lessons from the cyber-attack, British Library, 8 March 2024
British Library cyber incident review 8 March 2024
CONTENTS
This paper aims to provide an overview of the cyber-attack on the British Library that took place in October 2023 and examines its implications for the Library’s operations, future infrastructure, risk assessment and lessons learned. Its purpose is to ensure a common level of understanding of key factors that may help peer institutions and other organisations learn lessons from the Library’s experience.
The report is structured as six sections, with an Executive Summary. View the full report here.
EXECUTIVE SUMMARY
This paper provides an overview of the cyber-attack on the British Library that took place in October 2023 and examines its implications for the Library’s operations, future infrastructure, risk assessment and lessons learned.
Following an extensive forensic investigation by the Library and our cyber security specialists, this paper sets out a detailed timeline of when and how the attack took place, including a suspected instance of hostile reconnaissance a few days before the major ransomware attack of Saturday 28 October. Although the attackers encrypted or destroyed much of our server estate during the course of the attack, we have identified a server we consider likely to have been the point of entry, and explore why our security measures were not sufficient, in spite of the routine use of security assessments including penetration tests where appropriate.
The criminal gang responsible for the attack copied and exfiltrated (illegally removed) some 600GB of files, including personal data of Library users and staff. When it became clear that no ransom would be paid, this data was put up for auction and subsequently dumped on the dark web. Our Corporate Information Management Unit is conducting a detailed review of the material included in the data-dump, and where sensitive material is identified they are contacting the individuals affected with advice and support.
As well as the exfiltration of data for ransom, the attackers’ methods included the encryption of data and systems, and the destruction of some servers to inhibit system recovery and to cover their tracks. The latter has had the most damaging impact on the Library: while we have secure copies of all our digital collections – both born-digital and digitised content, and the metadata that describes it – we have been hampered by the lack of viable infrastructure on which to restore it. The re-build of our infrastructure, on equipment approved and purchased before the attack, has been under way since December 2023 and remains ongoing.
The impact on the Library’s systems and services has therefore been deep and extensive. Although Library premises have remained open throughout and exhibitions, events and Reading Room access have all been maintained, our research services were severely restricted in the first two months, and remain incomplete even following the return of a searchable version of our online catalogue on 15 January 2024. Staff across the Library are working hard on full restoration and are continuing to share updates with our users.
Our major software systems cannot be brought back in their pre-attack form, either because they are no longer supported by the vendor or because they will not function on the new secure infrastructure that is currently being rolled out. This includes our main library services platform, which supports services ranging from cataloguing and ingest of non-print legal deposit (NPLD) material to collection access and inter-library loan. Other systems will require modification or migration to more recent software versions before they can be restored in the new infrastructure. Our cloud-based systems, including finance and payroll, have functioned normally throughout the incident.
The paper outlines the impact of the attack on the delivery of the Library’s mission and its public purposes. Most severely hit during the crisis have been our purposes relating to Custodianship and Research, as these have been directly impacted by the loss of core systems relating to collection access. Our public purposes relating to Business, Culture, Learning and International partnership have been relatively less affected, with on-site services and activities continuing largely without significant interruption, as have our partnership networks with public libraries. Exhibitions and onsite cultural events have exceeded their targets during the period.
The Library’s crisis response is described and assessed, with staff engagement and internal communications highlighted as critically important. Leadership and communication took place via a range of channels throughout a highly disrupted situation, although the need to tightly control information during the early stages of the cyber-attack, and the uncertainties around the resumption of normal services, have caused frustration for researchers and had an impact on staff morale.
In December 2023, the Library began the transition from crisis response to recovery with the inception of a Rebuild & Renew programme, which will enable the restoration of services and the complete renewal of our technological infrastructure, in order to build back a more secure, resilient and innovative British Library. In parallel with the programme to modernise its library service, which was already underway, and an accelerated programme for renewing the technology infrastructure, Renew & Rebuild will align fully with the Library’s Knowledge Matters strategy that was launched last year.
The paper considers the attack in the context of the Library’s historic technology infrastructure. The Library’s unusually diverse and complex technology estate, including many legacy systems, has roots in its origins as the merger of many different collections, organisational cultures and functions. We believe that the nature of this legacy infrastructure contributed to the severity of the impact of the attack. The historically complex shape of the network allowed the attackers wider access than would have been possible in a more modern network design, and the reliance of older applications on manual processes to pass data from one system to another increased the volume of staff and customer data held in multiple copies on the network.
Previously approved investment updates and changes are already being implemented that will reduce the impact of a future attack, reduce operating overheads by replacing legacy systems, embed security across the IT lifecycle and reduce risk in key areas such as data loss, disaster recovery and business continuity. Implementation will require significant changes to our applications, our culture and ways of working, and our policies and processes.
Future risk assessments must take into account the increased risk of major attacks on the Library and the significant culture change needed to fully embed cyber security at the heart of technology rebuild and all processes going forward. The challenge of rebuilding our technology infrastructure in full also brings risks of capacity and capability within our Technology department, which will need to be actively addressed. Due to the complexity of restoring, modifying, consolidating, retiring, rebuilding or replacing a large number of systems at the same time there will need to be a careful balance of informed analysis, visionary design, and firm objective setting and management.
We expect the balance between cloud-based and onsite technologies to shift substantially towards the former in the next 18 months, which will come with its own risks that need to be actively managed, even as we substantially reduce security and other risks by making this change. Finally, the paper aims to ensure a common level of understanding of key factors that may help libraries, peer institutions and other organisations to learn lessons from the British Library’s experiences since the attackers first struck. To this end, we also append a list of lessons we have learned on our own account, including some that may have wider relevance to our peers and partners. Page 3 of 18
See also: British Library chief executive Roly Keating to step down