The British Library has released a report providing insights gained from the cyber incident that paralysed its IT systems in October last year. This occurred due to a terminal server implemented by a third party for more efficient operations within the internal IT team. A suspected combination of a phishing attack to gain credentials, lack of communication between the British Library staff and the third party responsible for setting up the server and a lack of 2-factor authentication allowed for unauthorized access to sensitive data, lateral movement within the internal network and a subsequent ransomware attack.
Despite ongoing effects of the ransomware attack, the institution’s website noted that online systems, services, and certain on-site facilities remain impacted for the long term.
The criminal group responsible exfiltrated approximately 600GB of data, including personal information of library users and staff. Following unsuccessful ransom demands, they auctioned and later dumped the data onto the dark web. Their tactics involved data encryption, system manipulation, and server destruction to impede recovery efforts and conceal their actions, significantly hindering restoration processes due to infrastructure limitations. Many of which appear to be successful as pinpointing exactly how access to the system was achieved has proven difficult.
Major software systems, including the main library services platform, cannot be reinstated due to vendor support cessation or incompatibility with the new secure infrastructure. Legacy systems and manual data transfer processes exacerbated the attack’s impact, granting attackers broader access than in a modern network design. The report emphasizes the need for future risk assessments to consider major cyber threats, integrating cybersecurity into technological rebuilding and processes, and transitioning from on-site to cloud-based systems.
The British Library anticipates continued service disruptions for several months. Progress in its recovery plan includes implementing a new reader registration process and prioritizing on-site access to digital collections. It has informed users of data release on the dark web, offering guidance from the National Cyber Security Centre and analysing compromised data.
Threats like this are often mitigated with correct implementation of ISO27001 and ITIL security standards, especially when it comes to ISO’s Operational Security and Supplier Relationships Controls.