Museums, galleries and archives have been urged to tighten their cyber security following the massive ransomware attack on the British Library.
The library fell victim to a major hack by the criminal group Rhysida in October that has left it severely incapacitated.
The institution’s online systems and services are suffering ongoing disruption, while large parts of its IT estate were destroyed or encrypted and it initially lost access to basic communication tools such as email.
The gang demanded £600,000 in bitcoin as ransom for the stolen data, and later attempted to auction off a significant amount of sensitive customer and staff details on the dark web. Last week it dumped almost 600 gigabytes of leaked material online.
The incident has caused alarm among many museum and archive organisations, which are overwhelmingly reliant on digital technology for everything from booking systems to collections management and documentation.
Hacker gangs often continue to target specific sectors after identifying weak points within them, a cyber security expert has told Museums Journal. Toronto Public Library suffered a similar ransomware attack in October.
Claire Greathead, senior information security consultant at Security Risk Management Ltd, said: “[Ransomware gangs] go through phases of doing it in different areas – a few years ago it was the medical sector, more recently it’s been some of the big libraries. They find a way in and once they’ve seen it work in one place they’ll try it somewhere else.”
An attack can have severe consequences, says Greathead. After data has been compromised – even in cases where organisations have paid the ransom to retrieve it – IT systems will need to be rebuilt from scratch, while hacked organisations may also face fines and legal action for failing to adequately protect private data.
Cyber attacks are becoming more frequent and advanced, said Greathead. “Phishing mails are becoming more sophisticated – they use a lot of different routes to get to people.”
She said organisations should continually test their security systems, make sure their firewalls and protection software are fully up-to-date, and ensure all staff receive training to recognise phishing emails and other cyber scams.
Museums should also consider inner segmentation of their IT networks and ensure that backups are isolated rather than being kept on the same database, she said.
In a blog last week, the British Library’s chief executive, Roly Keating, outlined the extent of the damage caused by the attack.
“We took immediate action to isolate and protect our network but significant damage was already done: having breached our systems, the attackers had destroyed their route of entry and much else besides, encrypting or deleting parts of our IT estate,” Keating said.
“The library itself remains a crime scene, with a forensic investigation of our disrupted network still ongoing. In parallel, our teams are examining and analysing the almost 600 gigabytes of leaked material that the attackers dumped online – difficult and complex work that is likely to take months.”
The attack impacted the library’s reading rooms in London and Yorkshire, where collection items could no longer be retrieved and public access to the collection was put on hold.
Essential digital services, including the library’s catalogue, website and online learning resources, also went dark, with research services like the library’s collection of more than 600,000 doctoral theses unavailable.
However the library was able to maintain public access to its physical spaces, events exhibitions, as well as protecting its collections.
Keating said: “Although this kind of attack was something we had prepared for and rehearsed, and had taken steps to guard against, it was no less of a shock when it happened […]
“Our experience of the past two months has highlighted a great paradox for knowledge institutions in the digital age. Our deep commitment to openness, access and discovery means that we fully embrace the amazing possibilities that technology enables; while as custodians of our collections we also face an ever-increasing challenge in keeping our digital heritage safe from attack.
“Libraries, research and education institutions are being targeted, whether for monetary gain or out of sheer malice.”
The library's teams are working to develop hybrid services and workarounds that can restore some level of access to the collection while a broader programme of secure infrastructure rebuilding gets underway.
From early in the new year there will be a phased return of some key services, starting with a reference-only version of the main catalogue, which will be back online from 15 January.
Keating said: “We are as eager as our readers to restore access to the collection, but we need to exercise exceptional care to ensure we do nothing to compound the risk of further attack.”