The British Library says its overreliance on “complex legacy infrastructure” seriously hampered its ability to recover from a ransomware attack in late 2023.
in a post mortem analysis After the incident, the organization said a combination of outdated technology and misguided security priorities created a confluence of challenges as teams scrambled to react and remedy the damage.
Chief executive Sir Roly Keating apologized for the library's response to the attack, adding that the institution “deeply regrets the loss of control over some personal data.”
“We have important lessons to learn about issues such as our historical dependence on complex legacy infrastructure, which has affected our ability to restore services as quickly as we would have liked, and the varying effectiveness of different security measures across our digital estate.” says chief executive Sir Roly Keating.
The attack was first identified as a major incident on October 28 last year, when a member of the technology team was unable to access the library's network.
The library immediately contacted the National Cyber Security Center (NCSC) and engaged specialist advisors from the NCC Group, subsequently contacting the Information Commissioner's Office (ICO) and other regulatory and law enforcement bodies.
An initial investigation found that the attackers actually gained access at least three days earlier. However, a vulnerability scan yielded no results and no repeat activity was observed.
Only in retrospect did the team realize that this was probably a reconnaissance exercise.
British Library security teams have not yet been able to determine how entry was achieved, due to both the severe damage caused to the servers and the anti-forensic measures taken by the attackers.
However, your best guess is that it occurred through compromise of privileged account credentials, possibly through a phishing or phishing attack or a brute force attack.
In another mistake, multi-factor authentication (MFA) was not used in all domains for reasons of practicality, cost, and impact on ongoing library programs. The library said this almost certainly helped the attackers.
Meanwhile, some of the older software used by the library was unable to cope with the sophisticated techniques employed by the attackers.
The attack was claimed by ransomware group Rhysida and led to the release of thousands of stolen files after the library refused to pay a £600,000 ransom.
The group also encrypted data and systems and destroyed some servers to make system recovery difficult and cover their tracks.
According to the British Library, it is this aspect of the incident that caused the most serious problems following the attack. While the library has secure copies of all digital collections, it no longer has a viable infrastructure to restore them.
Other important software applications cannot be restored to their original pre-attack form because they are no longer supported by vendors or because they will not work on the new infrastructure that is currently being deployed.
“Although the security measures we had in place on October 28, 2023 were extensive and had been accredited and stress tested, in retrospect, there are many things we wish we had understood better or prioritized differently,” the report states. .
British Library plans major security shake-up
The library is already implementing changes and increasing security measures, such as backups and MFA.
It is also introducing a new Modern Library Services Program and data management and reporting architecture, and is modernizing its administrative and storage tools.
“The document is produced by our expert advisers and specialists, but is our own version, updated and adapted from our internal investigations into the incident,” Sir Roly said.
“If the result is greater resilience and protection from attack for the UK collections sector and others, then at least some good will have come from this deeply damaging criminal attack.”