The British Library, the national library of the United Kingdom and one of the largest libraries in the world, confirmed that a ransomware attack led to the theft of internal data.
In late October, the British Library first revealed that it had experienced an unspecified cybersecurity incident that caused a “massive technology outage” at its sites in London and Yorkshire, crashing the website, line on the phone, and on-site services, such as guest Wi-Fi and electronic payments.
Two weeks later, and the British Library outage is still going on. However, the organization confirmed today that the disruption was the result of a ransomware attack launched “by a group known for such criminal activity.” The British Library said some internal data had leaked online, which “seems to be from our internal HR files.”
This confirmation comes hours after the British Library was listed on the Rhysida ransomware gang’s dark web leak site. The list, seen by TechCrunch, claims responsibility for the cyberattack and threatens to publish data stolen from the British Library unless it pays a ransom demand. The gang is demanding more than $740,000 worth of bitcoin at the time of writing.
The Rhysida ransomware gang did not say how much or what types of data it stole from the British Library, but samples of data shared by the gang appeared to include work documents and passport scans.
Rhysida last week the subject of a joint CISA and FBI advisory, which warned that the group was using external-facing remote services, such as VPNs, to compromise organizations across the education, IT, and government sectors. The advisory also warns that Rhysida, which was first observed in May, shares overlaps with the Vice Society ransomware gang, a hacking group known for ransomware extortion attacks on organizations in health care and education.
“Notably, according to the ransomware group’s data leak site, the Vice Society has not posted a single victim since July 2023, which is around the time Rhysida began reporting victims on its site,” researchers at Sophos Colin Cowie and Morgan Demboski wrote a recent analysis of Rhysida.
It’s common for ransomware gangs to break up, rebrand, or create new variants of the malware, often as a way to avoid government penalties or avoid arrest by law enforcement.
In a statement on Monday shared by X (formerly Twitter), the British Library said it had “no evidence” that its customers’ data had been compromised but recommended that users change their passwords as a “precautionary measure,” especially when customers use the same passwords for multiple services.
It is not known whether the British Library has the technical means to determine whether customer data has been obtained.
The British Library has not yet said how it was compromised, how much employee data was stolen, or whether it received communications or a ransom demand from the hackers. The British Library did not respond to TechCrunch’s questions, although it was unclear whether the organization had access to email services. The library website remains offline at the time of publication.
The British Library said in its latest statement that it could take weeks, or possibly longer, for it to recover from the ransomware attack. “We expect to restore most services over the next few weeks, but some disruptions may continue longer,” the statement said.
“In the meantime, we are taking targeted protection measures to ensure the integrity of our systems, and we are continuing to investigate the attack with the support of the (National Cyber Security Center), Metropolitan Police and cybersecurity specialists.”