British Library says reliance on complex legacy infrastructure hampered cyber attack recovery

Exterior signage at The British Library on November 23, 2023 in London, England
(Image credit: Getty Images)

The British Library says its overreliance on “complex legacy infrastructure” seriously hampered its ability to recover from a ransomware attack in late 2023

In a post-mortem analysis of the incident, the organization said a combination of outdated technology and misguided security priorities created a confluence of challenges as teams scrambled to react and remediate damage.

Chief executive Sir Roly Keating apologized for the library’s response to the attack, adding that the institution “deeply regrets the loss of control of some personal data”.

"We have significant lessons to learn about matters such as our historic reliance on a complex legacy infrastructure, which has affected our ability to restore services as quickly as we would have wished, and the varying effectiveness of different security measures across our digital estate," says chief executive Sir Roly Keating.

The attack was first identified as a major incident on 28 October last year, when a member of the technology team was unable to access the library's network.

The library immediately got in touch with the National Cyber Security Centre (NCSC) and hired specialist advisers NCC Group, later contacting the Information Commissioner’s Office (ICO) and other regulatory and law enforcement bodies.

An initial probe found that the attackers actually gained access at least three days earlier. However, a vulnerability scan came back with no results, and no repeat activity was seen.

It's only with hindsight that the team realized that this was probably a reconnaissance exercise.

Security teams at the British Library still haven't been able to work out just how entry was gained, because of both the severe damage caused to the servers and the anti-forensic measures taken by the attackers.

Their best guess, though, is that it happened through the compromise of privileged account credentials, possibly via a phishing or spear-phishing attack or a brute force attack.

In another error, multi-factor authentication (MFA) wasn't used across all domains for reasons of practicality, cost, and impact on ongoing library programs. The library said this almost certainly aided the attackers.

Meanwhile, some of the older software used by the library was unable to contend with the sophisticated techniques employed by the attackers.

The attack was claimed by the Rhysida ransomware group, and led to the publication of thousands of stolen files after the library refused to pay a £600,000 ransom.

The group also encrypted data and systems, and destroyed some servers to make it harder to recover systems and to cover their tracks.

According to the British Library, it’s this aspect of the incident that caused the most severe problems in the wake of the attack. While the library has secure copies of all digital collections, it no longer has viable infrastructure on which to restore it.

Other major software applications cannot be restored to their original, pre-attack form as they are no longer supported by vendors, or because they won’t function on the new infrastructure that is currently being rolled out.

"Although the security measures we had in place on 28 October 2023 were extensive and had been accredited and stress-tested, with the benefit of hindsight there is much we wish we had understood better or had prioritized differently," the report stated.

British Library eyes major security shake-up

The library is already implementing changes and ramping up security measures such as backups and MFA. 

It's also introducing a new Modern Library Services Programme and data management and reporting architecture, and is modernizing its back-office tools and storage.

"The paper is informed by our expert advisers and specialists, but is our own account, updated and adapted from our internal investigations into the incident," said Sir Roly.

"If the outcome is increased resilience and protection against attack for the UK collections sector and others, then at least one good thing will have emerged from this deeply damaging criminal attack."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.