AlexMastro - stock.adobe.com

Rhysida gang stole hundreds of gigabytes of British Library data

The Rhysida ransomware gang behind the cyber attack on the British Library has published almost 600GB of stolen data to its dark web leak site

The scale of the data breach affecting the British Library in the wake of a Rhysida ransomware attack is now becoming apparent after the cyber criminal gang published a 573GB tranche of data purloined from the library’s systems, comprising more than 490,000 distinct files, to its dark web leak site.

Rhysida’s operatives said the published data comprised 90% of what it had stolen, adding that it had uploaded data it had not been able to sell. This would appear to imply that the cyber criminals have managed to auction off a not-insignificant amount of data – it was originally asking 20 bitcoins for the whole amount.

Earlier this week, the British Library revealed that in addition to the internal data it thought had been stolen, the data dump also included the personal information of readers and visitors, and it has now begun to inform affected readers via email.

In the email notice, a copy of which has been seen and reviewed by Computer Weekly, and has also been published to X by HaveIBeenPwned’s Troy Hunt, the British Library revealed that Rhysida had gained access to its customer relationship management (CRM) databases.

“At a minimum, these databases contain the name and email address of most of our users. For users of some of our services, these databases may also contain a postal address or telephone number,” read the email.

The British Library has now begun to inform readers affected by the data breach via email
The British Library has now begun to inform readers affected by the data breach via email

“All of our payment processing is outsourced to secure third-party payment providers. We are, therefore, confident that no credit or debit card data was on the affected network, and that any card details you may have used to make purchases with us are still safe.

“We are continuing to work with cyber security specialists to review the security of the rest of our systems, and to safely restore our services as soon as we can. We have already implemented additional security measures to defend against future attacks,” it said.

Further to its previous statements, the British Library continues to urge customers to take additional precautions to protect themselves, and as a bare minimum should immediately change any password on any other online service that they may have also used to access its services.

The British Library added: “We’re really sorry, we know this email will be unsettling news to receive. Our community is at the heart of everything we do, and we’re putting all our available resources into investigating this incident and restoring our systems and the full range of our services.”

The British Library website is still unavailable, a month after the attack
The British Library website is still unavailable, a month after the attack

A month after Rhysida executed its crippling cyber attack, a swathe of the British Library’s services remain inaccessible, including its website and many online systems and services.

The British Library’s physical sites at St Pancras in London and Boston Spa in Yorkshire have remained open throughout, and it has successfully recovered both its public-facing Wi-Fi network infrastructure and its point-of-sale systems.

It expects to be able to stand up more services in the next few months, but is now warning that the disruption may persist for months to come – it has not given a precise timetable for this, for obvious reasons.

Computer Weekly coverage of the British Library attack

Read more on Data breach incident management and recovery