08 March 2024
Learning lessons from the cyber-attack
Today, we’ve published a paper about the cyber-attack that took place against the British Library last October. Our hope is that doing this will help other organisations to plan and protect themselves against attacks of this kind.
The threat of aggressive and disruptive cyber-attacks is higher than it has ever been, and the organisations behind these attacks are increasingly advanced in their techniques and ruthless in their willingness to destroy whole technical systems.
This is of especial importance for libraries and all those institutions who share our mission to collect and make accessible knowledge and culture in digital form, and preserve it for posterity. Though the motive of the attack on the British Library appears to have been purely monetary, it functioned as, effectively, an attack on access to knowledge.
The paper is informed by our expert advisers and specialists, but is our own account, updated and adapted from our internal investigations into the incident. It gives a description and timeline of the attack, to the best of our current understanding, and its implications for the Library’s operations, future infrastructure and risk assessment. Its goal is to share our understanding of what happened and to help others learn from our experience, with a section (‘Learning lessons from the attack’, pages 17-18) drawing out 16 key lessons. You can download and read it here.
We hope it will also help our users and partners understand why the disruption generated by the attack has had such an impact on our services, and why it is taking time for us to recover fully. Of course, every cyber-attack is different, and the best source of advice and guidance for individuals and organisations looking to protect themselves is the website of the National Cyber Security Centre (NCSC). We will continue to share updates on restoring our services on this blog and via our website.
We remain conscious at all times of security, and have sought to avoid providing information that could in any way aid future attacks, or inhibit the law enforcement agencies in their task of tracking down the perpetrators. The paper does not go into detail about costs, as the net financial impact of the attack is still under review, nor have we gone into detail about the organisation behind the attack, Rhysida, as this information is better available from other sources such as the specialist technology press.
Wherever possible, though, we have tried to err on the side of openness, and not everything here makes comfortable reading for ourselves as an organisation. We have significant lessons to learn about matters such as our historic reliance on a complex legacy infrastructure, which has affected our ability to restore services as quickly as we would have wished, and the varying effectiveness of different security measures across our digital estate.
We are also conscious of our duty as data controllers and deeply regret the loss of control of some personal data, for which we apologise wholeheartedly to everyone affected. We have co-operated with the Information Commissioner’s Office since the start of the incident, and will abide by the findings of any report they may publish in due course.
Whatever your perspective – whether you are a member of the public, a British Library user or staff member affected by the attack, a peer institution in the library or cultural sector, or indeed any other kind of organisation concerned about these issues – we hope you find this report useful. If the outcome is increased resilience and protection against attack for the UK collections sector and others, then at least one good thing will have emerged from this deeply damaging criminal attack.
Sir Roly Keating
Chief Executive