Public Sectorransomware5 min read

British Library Cyber Attack

Downtime Duration

2 years

Estimated Costs

£6-7m (Recovery Costs) £1.6m (Lost Income)

Records Exposed

600GB of Library Content Leaked; 573GB of Employee Data Leaked

Operational Impact

  • Online services disrupted for 2 years
  • Payments to 20,000 creatives halted
  • Library's 2024–25 Visiting Fellowship Programme Suspended
  • Pen and Paper used in lieu of digital resources by staff

Summary

The British Library is one of the most famous and largest public libraries in the world. However, in the face of a ransomware attack, they went from digital resource, to being sent back to paper.

Full Analysis

Introduction 

It’s been over two years since the British library fell victim to a cyber-attack that crippled its most valuable systems. Gigabytes of information, knowledge and culture from the World’s largest library being digitally ensnared, unavailable for the World to see. Ironically, in this digital age the library was sent back to paper and in-person consultation only! And despite dealing with the hackers and regaining their invaluable digital catalogue, the British Library is still healing from the damage caused and the data leaked. 

Entry Vector 

On the 28th October 2023, the British Library was operating as normal. There were some slightly abnormal technological difficulties such as no Wi-Fi access (newyorker.com, 2023), but this seemed to just be a simple technological outage, an easily fixable issue that happens all the time.  By the 30th of October, however, the British Library had lost access to everything: their digital systems and their online catalogue. 

It was later revealed that the library’s systems had been compromised and encrypted in a deliberate cyber-attack. The main culprits who later claimed responsibility were Rhysida, a Eurasian hacker group and ransomware service provider. They launched a ransomware attack on the Library, stealing media and employee data in exchange for a ransom of 20 Bitcoin, roughly £596,000. (TheGuardian.com, 2024B). 

Rhysdia (Named after a centipede genus) uses social engineering tactics such as phishing to access sensitive files, copy them to their secure servers and encrypted the files and digital services left behind (infosecurity-magazine.com, 2024). They are most well-known for targeting US healthcare services, the Chilean army, and leaking data on upcoming games by Insomniac Games. 

Infosecurity-magazine.com went into detail about the specifics of how Rhysdia accessed and stole the library’s sensitive data (infosecurity-magazine.com, 2024): 

  1. “Their targeted attack copying entire sections of network drives belonging to Finance, Technology and People teams. These files comprised 60% of the total content copied. 
  1. A keyword attack scanning the network for any file or folder that used certain sensitive keywords in its naming convention, such as ‘passport’ or ‘confidential,’ making up around 40% of the data copied. This included files from corporate networks and from drives used by staff for personal purposes. 
  1. Native utilities were hijacked and used to forcibly create backup copies of 22 databases, several of which were believed to contain contact details of external users and customers.” 

After getting as much data as they could, Rhysdia then destroyed the library servers to limit system recovery and prevent themselves from being traced.  

Recovery  

The damage of the hack was so severe that even three months after the attack, the library had yet to recovery from its initial attack (TheGuardian.com, 2024B). However, the library began to make progress four months later in early 2024, when they recovered their online catalogue of read only material (BBC.com, 2024B). By September of 2024, the library announced on their blog that by they were able to restore full access for academic materials as well as online media orders (blogs.bl.uk., 2024). 

As of November 2025, the British library has continued to recover, with services and features being restored and updated every day (bl.uk, 2025). However, they still have a long way to go, with some key services, like e-books, archives and the manuscripts catalogue still unavailable (Independent.com, 2025). 

Impact 

Financial  

The British Library never paid the bitcoin Ransom, leading to 600GB of material (90% of Library’s catalogue) being leaked online (BBC.com, 2024A).  

Authors had missed royalty payments from their published works because of the hack affecting the Public Lending Right (PLR) payment system, which the British library controls. The PLR system works by paying an author every time their works are borrowed, paying them a maximum of £6,600 per year. (TheGuardian.com, 2024C) 

The British Library drained up to 40% of their financial reserves to recover from the attack, amounting to £6-7 Million (FinancialTimes.com, 2024). To add insult to injury, they were later blamed for not investing enough into IT, which in retrospect, might have cost them much less in the long run.  

User Data 

Since the British Library refused to pay the ransom fee, 573GB of their employees’ personal data was later auctioned off in Rhysida’s own darknet website (Blogs.lse.ac.uk, 2025). This would have long lasting consequences as many staff members’ personal lives were upended; many had to move houses in response to doxing threats and were subjected to defrauding attempts through their leaked contact details (independent.co.uk, 2025).   

IT Systems 

The scope of the hack was so severe, it was described as sending the British Library back to ‘pre digital age’ of accessing material (newyorker.com, 2023). 

As previously mentioned, a large amount of blame was placed on the lack of investment into IT systems and outdated security systems, such as a lack of multi-factor authentication exacerbating the attack (Information’s Commissions Office (ICO) (ico.org, 2025). ICO did, however, commend the British Library for their transparency on the vulnerabilities of their systems and concluded that further investigation would be a waste of time and resources.    

There were plenty of vulnerabilities in the British Library’s system before the attack took place. For one thing the organisation had yet to update their legacy IT infrastructure which meant that not only was it easier to access but harder to prevent an attack and restore systems when they were compromised (itpro.com, 2025). Their network monitoring capabilities and intrusion detection processes also required updating, facts the library itself admitted in a post-attack investigative review (British Library, 2024).  

It wasn’t just outdated systems that failed the British library; their human resources were lacking. They consistently used third party IT support, meaning they had no in-house technical staff familiar with their systems so they can be repaired at a moment’s notice. (Blogs.lse.ac.uk, 2025) This over-reliance on third parties might be due to their own overwhelmed IT support that lacked the manpower, or an intimate knowledge of the library’s IT systems, an unfortunate occurrence in many UK public institutions due to spending cuts.  

The Seamless Solution 

  • Having freshly updated software and cyber defences is a must. A major reason why Rhysdia was so successful was that they were able to bypass the antiquated firewall. 
  • Updated software is one thing, but sometimes the human factor is just as important; having a fully trained and experienced IT staff on hand who are familiar with the systems will allow for a more rapid and successful response. 
  • Rhysdia’s main plan was to use social engineering tactics to gain access to network drives and copy sensitive data. With Seamless, the British Library can quickly detect when one of their networks is being illicitly accessed and decisively quarantine it to deny the hackers access. 

Conclusion 

Libraries are important. They remain as the final, reliable and steadfast source of information should the internet fail. It should be said that they still hold a permanent place in society, even with the (weak) argument that they are rendered obsolete with the much more convenient internet becoming more relevant as time moves on.  

Libraries benefit a lot from the internet, but with this comes an urgent need for stable and effective cybersecurity to safeguard them as institutions as they continue to adapt to the modern age. And if the British Library’s own cyber-attack is any indication, every library’s cybersecurity must be as secure as their place in society and history. It must be Seamless. 

Sources  

  • BBC.com (2024B): British Library starts restoring services online after hack: https://www.bbc.co.uk/news/entertainment-arts-67976183 
  • Blogs.lse.ac.uk (2025): The British Library hack is a warning for all Academic libraries: https://blogs.lse.ac.uk/impactofsocialsciences/2024/03/19/the-british-library-hack-is-a-warning-for-all-academic-libraries/  
  • bl.uk (2025): Restoring our services – November 2025 update: https://www.bl.uk/stories/news/restoring-our-services-november-2025-update 
  • Blogs.bl.uk (2024): Restoring our services – 30 July 2024 update. 
  • Financialtimes.com (2024): British Library to burn through reserves to recover from cyber attack. Written by Rafe Uddin and Daniel Thomas: https://www.ft.com/content/4be5d468-0cc3-4881-a5fb-b5d0163de93e 
  • Ico.org (2025): Statement on British Library’s 2023 ransomware attack: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/04/statement-on-british-library-s-2023-ransomware-attack/ 
  • Itpro.com (2025): British Library says reliance on complex legacy infrastructure hampered cyber attack recovery: https://www.itpro.com/security/british-library-says-reliance-on-complex-legacy-infrastructure-hampered-cyber-attack-recovery 
  • infosecurity-magazine.com, (2024): Third-Party Breach and Missing MFA Contributed to British Library Cyber-Attack. Written by James Coker: https://www.infosecurity-magazine.com/news/third-party-mfa-british-library/ 
  • TheGuardian.com (2024A): A 22-carat disaster’: what next for British Library staff and users after data theft?: https://www.theguardian.com/books/2024/jan/15/british-library-cyber-attack-staff-users-analysis 
  • TheGuardian.com (2024C): Richard Osman among authors missing royalties amid ongoing cyber-attack on British Library: https://www.theguardian.com/books/2024/jan/06/authors-missing-borrowing-royalties-british-library-cyber-attack 

See the Recovery Orchestration Engine in action.

Tour the solution story built for investors and acquirers.

No lock-inIntegrates with your existing stackEnterprise ready