At the IT business continuity and recovery services company Databarracks Managing Director, James Watts, and Deputy Resilience Director, Charlie Maclean-Bristol, share their thoughts on the British Library cyber attack – a ransomware attack in October 2023 – and six key lessons to take away.
Attackers from the Rhysida group are believed to have gained entry to the Libraryโs network through a remote access server without multi-factor authentication. Moving laterally through the network, they exfiltrated around 600GB of data before encrypting systems and destroying large parts of the server estate in their wake.
When the Library refused to pay a 20 bitcoin ransom โ worth around ยฃ600,000 at the time โ the stolen data was published on the dark web. The nature of the attack, coupled with the Libraryโs unrestorable legacy infrastructure, meant that recovery required a full rebuild of core systems. This led to the launch of the ‘Rebuild & Renew’ programme โ a phased approach to recovery, allowing the Library to restore services through interim solutions while rebuilding core systems in parallel.
Around five months after the attack, the Library published a detailed Cyber Incident Review. While the Libraryโs response and decision to publish such a transparent account have been commended by the National Cyber Security Centre (NCSC), recovery has extended beyond the planned completion date of July 2025, and costs have reached at least ยฃ7 million.
Lesson 1: Close gaps in identity and access control
The Libraryโs review concluded that the most likely entry point was a remote access server without multi-factor authentication. While MFA had been introduced across the organisation in 2020, not all systems were covered. As the Library found out at great cost, when basic controls fail, the impact is disproportionate.
James Watts: โThe Library had identified the lack of MFA on the domain as a risk, but some systems were placed out of scope for reasons of practicality, cost and impact on ongoing programmes. With the benefit of hindsight, this seems an obvious mistake. The cost and effort of implementing MFA would have been negligible compared to the disruption and ยฃ7mย recovery that followed.
“The Library says it had plans in place to implement additional protections, but the attack arrived before they could be rolled out. Thatโs a common position โ the work is identified but loses out to competing priorities.โ
Lesson 2: Actively manage legacy technology risk
Legacy systems are harder to secure and, as the attack on the British Library makes clear, harder to recover.
The Library pointed to legacy infrastructure as the โprimary contributorโ to the severity of the impact.
James Watts: โIn a 50-year-old organisation like the British Library, the burden of legacy technology runs through everything. It affected how far the attackers could move, and it made recovery far more complex. Some systems simply couldnโt be restored at all, which meant they had to be replaced.
We tend to think about legacy systems in terms of maintenance and security, but this shows the bigger issue is recoverability. Over time, that technical debt builds up โ the baggage gets heavier and becomes a major factor in how well you can respond when something goes wrong.โ
Charlie Maclean-Bristol: โMany of the systems couldnโt be brought back in their pre-attack form because they were no longer supported or wouldnโt work on the new infrastructure โ something also seen in the NHS during WannaCry, where reliance on unsupported legacy systems hampered recovery.
If you canโt restore systems as they were, youโre rebuilding them from scratch. As the Library identified in its report, this more than anything else is what slowed down recovery.
Like the Scottish Environment Protection Agency (SEPA) after its cyber attack in 2020, the British Library used the incident as an opportunity to โbuild back betterโ.โ
Lesson 3: Design systems to limit the impact of breach
With proper network segmentation in place, the Library could have limited the spread of the attack and reduced its overall impact.
James Watts:โThe Libraryโs network topology allowed attackers to move laterally and access more systems than they should have been able to. That had a huge bearing on the impact. Segmentation limits how far an attacker can move, reduces the amount of data they can access and puts you in a much better position to contain the breach before it escalates. The Library has spoken about prioritising a โdefence in depthโ approach in its rebuild, and network segmentation is key to that.โ
Lesson 4: Prioritise recovery capability
Most organisations will face a successful breach at some point. When they do, the outcome is down to their ability to recover. Investment in prevention is critical, but so is investment in recovery.
James Watts:โYou have to assume that, at some point, an attack will succeed. Prevention often gets top billing in cyber security, but recovery capability and what happens โright-of-breachโ is just as important.
Organisations need to be confident they can recover, with air-gapped and immutable backups and tested processes to restore systems quickly and safely.โ
Lesson 5: Test and exercise response and recovery plans
Every cyber attack is a reminder of the value of testing and exercising. The Libraryโs review highlighted its importance and singled out the need to practise scenarios involving the โtotal outage of all systems.โ
In the Databarracks Data Health Check, which surveys 500 UK organisations, testing and exercising plans was the most-cited way to boost confidence in continuity and improve recovery from cyber attacks.
Charlie Maclean-Bristol: โWhen the Library opened on the Monday after the attack, core digital services were down, and staff fell back on manual workarounds to keep operations running. Was this something they had prepared for? You would hope so, but in practice, many organisations fail to exercise the more extreme scenarios where critical systems are down for extended periods.
In a major incident, thatโs exactly what happens. Organisations need to be ready to operate in a degraded state and assume it will happen at the worst possible time.
The attack on the British Library was discovered at 7:35 on a Saturday morning โ a time when staffing is low and exposure is high. Weโve seen the same pattern elsewhere โ for M&S, it was the Easter weekend, while for SEPA, it was Christmas Eve.
Testing and exercising makes a real difference to outcomes when it’s done properly. That means running realistic scenarios, involving the right people and regularly validating that plans work under pressure.โ
Lesson 6: Help build collective resilience by sharing insights
Most organisations share very little after a cyber attack, which limits how much others can learn from it. The British Library took a different approach, publishing a detailed review on 8 March 2024 that set out what happened and where things went wrong. It was strongly commended by the NCSC and the Information Commissionerโs Office (ICO).
James Watts:โThe British Libraryโs Cyber Incident Review is a rare, in-depth account of a major ransomware attack. The default position for most organisations is to disclose as little as possible, and thatโs understandable. From the victimโs perspective, thereโs little to gain from sharing information, and in some cases, theyโre explicitly advised not to by their insurers.
“However, when a report like this does come out, itโs of huge value to others and helps build collective resilience against future attacks.
What stands out here is the openness, particularly where it highlights the Libraryโs own faults. Itโs a fascinating report that Iโd recommend everyone involved in cyber risk read in full.โ
Charlie Maclean-Bristol: โMost organisations donโt like to share their lessons, or when they do, they mainly do so behind closed doors, so itโs rare to get this level of detail in the public domain.
This is one of the best publicly available cyber incident reports, but there are others worth looking at too, including from SEPA, the Western Isles Council and Gloucester City Council. These kinds of accounts give real insight into how incidents unfold and what recovery actually looks like in practice.
Publishing the report makes the attack no less catastrophic for the British Library, but at least this way, other organisations can benefit from their experience and take steps to avoid a similar fate.โ
James Watts: โThereโs a lot to learn from this attack, and much of the deepest insight has been set out by the Library itself. Public sector organisations, and especially those in the GLAM sector, should take note so they donโt make the same mistakes. The British Library wasnโt uniquely vulnerable. In fact, itโs likely many of its peers would have fared worse. The opportunity now is to take these lessons seriously and act on them.
It also challenges the idea of โsecurity through obscurityโ โ the belief that organisations like the British Library simply arenโt likely targets. The reality is that many cultural organisations are in the crosshairs because attackers see the potential for โmaximum leverageโ against โminimum resistanceโ โ valuable data, combined with constrained budgets and ageing infrastructure.
Thatโs why cyber security canโt be treated as a supporting function. For any organisation, itโs now a core operational responsibility. For those in the GLAM sector, itโs central to custodianship โ protecting not just the collection, but the systems that make it accessible.โ
And Charlie Maclean-Bristol: โMost elements of this attack will be familiar. It followed a pattern we see time and again โ attackers striking at the most inconvenient time, using double extortion with data exfiltrated and systems encrypted, and leaving organisations to operate without core systems.
The response challenges are familiar too. With the website and intranet down, the Library had to rely on channels like social media, email and WhatsApp to communicate โ something weโve seen in other incidents, including during the attack at Dundee and Angus College.
The attack methods, the response challenges and the recovery constraints are not unique. Theyโre repeatable patterns. That means they can be planned for. Organisations shouldnโt wait to experience this first-hand to understand it. The detail is already available โ the task is to turn that understanding into preparation, building the capability to respond, operate under disruption and recover effectively.โ
