The British Library, the national library of the United Kingdom and one of the world’s largest libraries, has confirmed that a ransomware attack led to the theft of internal data.
In late October, the British Library first disclosed it was experiencing an unspecified cybersecurity incident that caused a “major technology outage” across its sites in London and Yorkshire, which downed its website, phone lines, and on-site services, such as visitor Wi-Fi and electronic payments.
Two weeks on, and the British Library outage is still ongoing. However, the organization has now confirmed the disruption is the result of a ransomware attack launched “by a group known for such criminal activity.” The British Library said that some internal data has leaked online, which “appears to be from our internal HR files.”
This confirmation comes hours after the British Library was listed on the dark web leak site of the Rhysida ransomware gang. The listing, seen by TechCrunch, claimed responsibility for the cyberattack and threatens to publish data stolen from the British Library unless it pays a ransom demand. The gang demanded more than $740,000 worth of bitcoin at the time of writing.
The Rhysida ransomware gang hasn’t said how much or what types of data it has stolen from the British Library, but samples of the data shared by the gang appear to include employment documents and passport scans.
Rhysida was last week the subject of a joint CISA and FBI advisory, which warned that the group leverages external-facing remote services, such as VPNs, to compromise organizations across the education, IT and government sectors. The advisory also warned that Rhysida, which was first observed in May, shares overlaps with the Vice Society ransomware gang, a hacking group known for ransomware extortion attacks on healthcare and educational organizations.
“Notably, according to the ransomware group’s data leak site, Vice Society has not posted a victim since July 2023, which is around the time Rhysida began reporting victims on its site,” Sophos researchers Colin Cowie and Morgan Demboski wrote in a recent analysis of Rhysida.
It’s not uncommon for ransomware gangs to disband, rebrand or create new malware variants, often as a way to evade government sanctions or avoid arrest by law enforcement.
In a statement on Monday shared on X (formerly Twitter), the British Library said it has “no evidence” that the data of its customers was compromised but is recommending that users change their passwords as a “precautionary measure,” particularly if customers use the same passwords across multiple services.
It’s not known if the British Library has the technical means to determine if customer data was taken.
The British Library has not yet said how it was compromised, how much employee data was stolen, or whether it has received communications or a ransom demand from the hackers. The British Library did not respond to TechCrunch’s questions, though it’s not clear if the organization has access to email services. The library’s website remains offline at the time of publication.
The British Library said in its latest statement that it could take weeks, or possibly even longer, for it to recover from the ransomware attack. “We anticipate restoring many services in the next few weeks, but some disruption may persist for longer,” the statement said.
“In the meantime, we’ve taken targeted protective measures to ensure the integrity of our systems, and we’re continuing to investigate the attack with the support of [National Cyber Security Centre], the Metropolitan Police and cybersecurity specialists.”