When the library is a crime scene

Cyberattacks on major libraries, including the British Library and the Toronto (Canada) Public Library, have had a crippling effect on their ability to provide even routine services. We look at what happened, the repercussions, the cost involved to recover and how to prevent such calamities going forward.

Most of us can’t fathom a library as a crime scene. Yet that is how Roly Keating, CEO of the British Library, and Vickery Bowles, City Librarian at the Toronto Public Library, characterised the situations following separate cyberattacks on their libraries this past October. They use the notion of library as crime scene in a literal fashion, not as a librarian-created program designed to engage with readers and aficionados of true crime and murder mystery books. It’s not an escape room escapade. No, recovering from a cyberattack is a very real and lengthy process, with enormous costs, and make no mistake, a cyberattack is a criminal activity.

The cyberattack on the British Library began the last week of October 2023 with the website going down on the 28th, which the library initially attributed to a technical problem. On the 31st, the library announced that it was, in fact, a major ransomware attack. In addition to losing the website, the library could no longer provide electronic access to its collection, with its catalogue, online learning resources, and electronic research services sidelined by the hackers. Even email communications were affected. The physical sites remained open, as did exhibits, but the disruption to collection access rendered simply being present in the library much less useful than before the cyberattack. As a positive, data from its Digital Library System, most importantly the digital legal deposit content that the library has a statutory duty to collect and preserve, were unaffected. On the negative side, personal information was stolen and offered for sale on the dark web.

The catalogue came back online in mid-January 2024 but it is only a snapshot as of April 2023, without any new records added since then.

Toronto Public Library

In Toronto, 28 October was also the day the Toronto Public Library, which has 100 branches and is the largest library system in the country, was attacked. Library operations such as public computers, some digital collections, holds, library card renewals, the library website, and map passes were rendered inoperable. Book returns couldn’t be electronically checked back in, so were stored in trailers, thus diminishing the number of books available for actual checkout. Additionally, personal information of employees, but not of patrons, was stolen by the hackers. Unlike the British Library, at the Toronto Public Library, email was not affected.

As of the end of January 2024, partial services had been restored, although the online catalogue, user accounts, and search functionality were still down. On its website, which is now back online, the library stated it expects everything to be back up by the end of February 2024.

Ransomware as a Service

In both instances, the police were called in to investigate these ransomware attacks and a forensic examination was put in place. The British Library’s Keating referred to it as a “smash and grab” operation, deeming the demand for a ransom “a crude attempt at extortion”. The culprit in the British Library cyberattack was Rhysida. According to The Guardian, Rhysida is thought to be a Russian gang and several U.S. government agencies believe the Rhysida gang is hiring out malware to criminals and sharing the ransomware proceeds. That’s the essence of Ransomware as a Service (RaaS). Cynet  reports that Rhysida “exploited a vulnerability in the British Library’s VPN software, which allowed them to bypass a firewall and access the internal network”.

Black Basta is thought to be behind the Toronto cyberattack. As another RaaS gang, it also is apparently of Russian origin. Calling it a “credible threat”, the U.S. Office of Information Security at the Health & Human Services (HHS) agency, said it was originally spotted in early 2022. Further, it said, “Black Basta operators are cunning, often utilizing unique TTPs to gain entry, spread laterally, exfilrate data, and drop ransomware”.

Neither the British Library nor Toronto Public paid the ransom, preferring to tough it out and rebuild. The cost of doing this is high, but even if ransom is paid, there is no guarantee that the data will be restored. As the Toronto Public Library noted, “While payment would likely prevent immediate publication of stolen data on the dark web, TPL could not treat the data as recovered and we could not guarantee that affected individuals are not at continued risk. TPL would also face criticism for contributing to ransomware crime.”  Even when organizations have a 'Do Not Pay' policy, research from Cohesity indicates that most companies pay millions in ransoms, regardless of the policy.

The British Library estimated it will cost £6-7 million, 40% of its reserves, to recover from the attack. Toronto has not revealed what it might cost for its recovery, but it certainly won’t be inexpensive. Neither library indicated whether any of the recovery expenses might be covered by insurance.

Impact to library users

It’s obvious that the immediate impact to library users when a cyberattack occurs is the loss of access to materials. If library computers are inoperative, all the electronic resources to which a library subscribes essentially disappear for those who rely on in-library computers. Even those who use their own computers at home for research using library resources are impacted. If resources are accessed via the library’s website and that website goes dark, so do the databases and digital collections. Physical collections that are still on library shelves could be unavailable for checkout if hackers have disabled the library’s ILS. In the case of Toronto, returned items became unavailable since they couldn’t be checked in and returned to the shelves. Library patrons who use library computers and printers for numerous activities, from filling out job applications to doing schoolwork to communicating with friends and family, are also out of luck.

Researchers are particularly affected by the British Library attack since it prevents them from gaining access to materials available only on-site. Without a catalogue, no one knows where a particular item is housed. The British Library is a hub for researchers worldwide. Scholars who need to access physical materials at the library travel internationally to consult sources. As a result of the cyberattack, trips have had to be cancelled, incurring costs and delaying project completions. Then there is the impact on authors who lose royalties if their books aren’t borrowed. Both Canada and the UK along with 30 others, are Public Lending Right countries. Although the British Library does not lend books, it does keep track of lending activities at UK libraries and coordinates payments to authors.

Why libraries?

It is the nature of libraries to be free, safe and open places—cyberattacks go against everything that libraries and librarians hold dear. Keating called the situation at the British Library “knowledge under attack”. Toronto’s Bowles said it “represents an attack on the very essence of civil society”. The criminals, however, probably only had money on their minds. Destroying civil society and extinguishing knowledge were simply collateral damage.

What is it about libraries that make them so susceptible to becoming targets of cyberattacks? For one thing, they are very visible. For another, they tend to be under-resourced and thus vulnerable. Try getting additional funding just in case there’s a ransomware attack and see how far you get.

The rise of cyberattacks highlights the vulnerabilities of digital collections. If physical materials are digitised and the originals discarded, what happens if the digital copy is compromised by a cyberattack? How fragile, exactly, is our digital infrastructure in terms of preservation when the threat of ransomware lurks in the shadows of our libraries? Multiple copies and digital twins help but are not always in place.

What to do

No one wants a cyberattack. The first approach is to take steps to guard against it happening. Educate your staff about how attackers might infiltrate your networks. Email phishing is probably first on the list of how they worm their way into your system. It’s how they obtain login credentials and manipulate remote desktop protocol vulnerabilities to gain control of employees’ computers. Make sure you run regular backups and patch systems when updates are issues. Run tests to determine potential trouble spots. From a business perspective, check your insurance policy. Are you covered for ransomware demands?

If the worst happens, as with the British Library and Toronto Public Library, communicate to both the public and your staff about what is going on and what you’re doing about it. We tend to think of disaster recovery plans and communication protocols in terms of natural disasters such as floods or fire. But a cyberattack is equally as disastrous. A communication policy is essential to keep up staff morale and educate the public.

For other ideas about keeping libraries safe, read Steve Albrecht’s article in Computers in Libraries, June 2023. His list of questions to ask your IT department is particularly insightful.