In October 2023, the British Library, a cornerstone of the UK’s cultural heritage, faced a severe cyberattack. The Rhysida ransomware group infiltrated its systems, encrypting vast amounts of data and demanding a ransom of 20 Bitcoin—approximately £600,000 at the time—for its release. The library, adhering to national cybersecurity policies, chose not to engage with the attackers or meet their demands.
The attack had immediate and profound consequences. The library’s computer systems, website, phone network, and public Wi-Fi were paralyzed for over three weeks. Visitors were left to resort to manual catalog requests at the King’s Cross location, a stark contrast to the institution’s usual digital services. The disruption was so significant that the library’s main catalogue remained in a read-only format until January 2024, with some services expected to remain unavailable for months.
In response to the library’s refusal to pay the ransom, Rhysida escalated their tactics. They initiated a week-long auction on the dark web, offering the stolen data to the highest bidder. The starting bid was set at 20 Bitcoin, emphasizing the exclusivity and sensitivity of the information. When no bids were received, Rhysida released approximately 600GB of data online, including personal information of staff, readers, and visitors. This data comprised nearly 500,000 files, many of which were extracted from the library’s customer relationship management (CRM) database. The leaked information included names, email addresses, and, in some cases, postal addresses and telephone numbers. Fortunately, no financial data was included in the breach.
The British Library’s decision not to pay the ransom was in line with the UK’s national policy, which advises against such payments to deter cybercriminals. However, this stance came at a significant financial cost. The library estimated that rebuilding its IT systems would require £6–7 million, about 40% of its unallocated cash reserves. This incident highlights the escalating threat of ransomware attacks on critical institutions and the complex decisions organizations face when confronted with such breaches.
Rhysida’s attack on the British Library was not an isolated incident. The group has a history of targeting large organizations, including healthcare institutions. For instance, in August 2023, Rhysida attacked Prospect Medical Holdings, a U.S. hospital group, encrypting its data and demanding a ransom. The group also threatened to leak the data of more than 200,000 patients and employees, including 500,000 Social Security numbers, corporate documents, and patient records. This attack severely impacted operations at hundreds of clinics and hospitals across the United States.
The Rhysida ransomware group employs a ‘double extortion’ strategy. They not only encrypt data but also exfiltrate sensitive information, threatening to release it unless a ransom is paid. This approach increases the pressure on organizations to comply with demands, as the potential reputational damage from data leaks can be substantial. Rhysida’s tactics underscore the evolving nature of cyber threats and the need for robust cybersecurity measures.
In the aftermath of the British Library attack, the institution took several steps to enhance its cybersecurity posture. The library collaborated with the Metropolitan Police and the National Cyber Security Centre (NCSC) to investigate the breach and implement measures to prevent future incidents. The attack also served as a wake-up call for other organizations, particularly in the public sector, about the importance of cybersecurity.
The British Library’s experience offers several lessons for organizations facing similar threats:
-
Do Not Engage with Attackers: Paying a ransom does not guarantee the return of data and may encourage further attacks. Organizations should adhere to national policies and avoid engaging with cybercriminals.
-
Invest in Cybersecurity Infrastructure: Proactive investment in cybersecurity can prevent breaches and mitigate their impact. Regular system updates, employee training, and robust security protocols are essential.
-
Develop a Comprehensive Response Plan: Having a clear and tested incident response plan can expedite recovery and reduce downtime. This plan should include communication strategies, technical responses, and legal considerations.
-
Collaborate with Authorities: Engaging with law enforcement and cybersecurity agencies can provide valuable resources and expertise in handling cyber incidents.
The Rhysida ransomware attack on the British Library serves as a stark reminder of the vulnerabilities inherent in our increasingly digital world. It underscores the necessity for organizations to prioritize cybersecurity and to be prepared for the complex challenges posed by cybercriminals.
References
-
British Library cyberattack. (n.d.). In Wikipedia. Retrieved from https://en.wikipedia.org/wiki/British_Library_cyberattack
-
Rhysida Ransomware Gang Attacked The British Library 2025. (n.d.). In ThreatsHub Cybersecurity News. Retrieved from https://www.threatshub.org/blog/rhysida-ransomware-gang-attacked-the-british-library/
-
Rhysida threatens dark web auction of British Library data. (n.d.). In Computing. Retrieved from https://www.computing.co.uk/news/4149233/rhysida-threatens-dark-web-auction-of-british-library
-
Ransomware: lessons all companies can learn from the British Library attack. (n.d.). In Exponential-e. Retrieved from https://content.exponential-e.com/story/ransomware-lessons-all-companies-can-learn-from-the-british-library-attack/page/1
-
Rhysida ransomware behind British Library attack. (n.d.). In CSHub. Retrieved from https://www.cshub.com/attacks/news/rhysida-ransomware-group-claims-crippling-british-library-cyber-attack
-
Data stolen from the British Library is being auctioned for bitcoin on the dark web. (n.d.). In Protos. Retrieved from https://protos.com/data-stolen-from-the-british-library-is-being-auctioned-for-bitcoin-on-the-dark-web/
-
British Library contacts users after Rhysida leaks data. (n.d.). In The Register. Retrieved from https://www.theregister.com/2023/11/29/british_library_begins_contacting_customers/
-
Rhysida ransomware: Emerging cyber threat analysis. (n.d.). In The SecMaster. Retrieved from https://thesecmaster.com/blog/rhysida-ransomware
The collaboration between the British Library, the Metropolitan Police, and the NCSC highlights the value of information sharing and coordinated responses. Could sector-specific cybersecurity alliances, with pre-agreed protocols, further enhance resilience against these evolving threats?