Libraries under Attack

Libraries under Attack

British Library Cyber Attack
by Sandy Malcolm
Feature Date: 
7/12/2023
News Story

By now, all of our readers will be aware that the British Library was attacked by cybercriminals in late October 2023, and that at the time of writing (early December), almost no online or electronic services have been restored. The BL catalogue is inaccessible online or on-site, as is ESTC, both essential tools for scholars, booksellers and collectors worldwide, but the problem goes much further than that. No BL items can be retrieved from storage (though those ordered prior to the attack and already in the Reading Rooms can be used – but not returned to storage), and the Library cannot even accept electronic payments in person in the shop, for events or for exhibition tickets – only cash payments can be taken. (Within the last few days, event tickets can be purchased from a non-BL website.) Though the building remains open, its Reading Rooms are currently being advertised as for “personal study” only. However, as all sales within the BL are handled by a third party, the Library’s users’ financial data is thought to be safe; we must be thankful for small mercies.

The criminals responsible have executed a “ransomware” attack, ie all of the BL’s data has been encrypted and will remain inaccessible unless a large sum of money is paid in Bitcoin, an untraceable digital currency; this is widely used on the Dark Web for the purchase of drugs, arms and other illegal commodities (though of course its use is not restricted to such items). Naturally the Library will not pay such a ransom on principle, even if funds were available – and in any case payment is no guarantee that the data would be released: these are not honest brokers. Some of the data (seemingly from the BL’s HR system, ie personal details of staff members) is currently being offered for sale on the Dark Web. The same group of criminals has apparently attacked the Toronto Public Library, and many of its services online and off are, like the BL’s, currently unavailable.

Our sympathies are naturally with all of those affected, wherever they are in the world, and in particular with friends and colleagues on the BL staff, whose nationally important work has perforce come to a complete standstill.

And yet ... it seems utterly extraordinary that such an attack should have been successful. Any organisation, public or private, with a significant online presence must of necessity devote significant resources to its network security; indeed organisations of even moderate size will employ a team of IT specialists whose sole function is to protect the organisation from the sort of attack which has closed down almost all of the BL’s services. The glacially slow speed of recovery from the attack is in itself a matter of concern, as it implies that the Library’s disaster recovery (aka business continuity) planning was wholly inadequate, at least for an attack on its computer systems. One can only hope that the Library’s data backup strategy was more comprehensive than its disaster planning, and that every byte of data accessible before the attack will be available again in due course (though there is talk of full recovery taking months rather than weeks). It is hardly necessary to state that any organisation on a more commercial footing whose online systems were unavailable for this length of time would most likely be out of business by now.

The Library’s reputation has been severely damaged by this attack, or rather by its success, and the speed with which its reputation can be restored will be directly proportional to the speed of recovery, thus far sluggish indeed. Other institutions have successfully repelled such attacks in the past, and the prominence given to similar successful attacks on other organisations, such as the NHS, should have long ago alerted senior management at the BL to the overwhelming importance of securing its network; it is a matter of deep regret that this evidently never happened.

 

Link to latest updates from the BL on available services: https://blogs.bl.uk/living-knowledge/index.html

An updated account of this issue will be printed in our Spring 2024 issue. 

Let us know your thoughts - email editor@thebookcollector.co.uk