Full Report
The ICO has decided not to fine the British Library for a 2023 ransomware breach
Analysis Summary
# Incident Report: British Library Ransomware Attack and ICO Decision
## Executive Summary
The British Library suffered a catastrophic ransomware attack in October 2023, attributed to a Rhysida affiliate, resulting in the exfiltration of 600GB of internal data, including PII, and the encryption/destruction of critical systems. While the library estimated losses at £1.6 million during its recovery efforts, the UK's Information Commissioner’s Office (ICO) ultimately decided against pursuing a formal investigation for punitive action, citing a prioritization of resources over the case.
## Incident Details
- **Discovery Date:** October 2023 (Approximate, based on attack date)
- **Incident Date:** October 2023
- **Affected Organization:** British Library
- **Sector:** Cultural/Public Body (Government-sponsored)
- **Geography:** UK
## Timeline of Events
### Initial Access
- **Date/Time:** October 2023
- **Vector:** Ransomware deployment (Rhysida affiliate)
- **Details:** Attackers successfully deployed ransomware onto the library’s environment.
### Lateral Movement
- **Details:** Attackers were able to move within the network, leading to the encryption of critical data and systems.
### Data Exfiltration/Impact
- **Details:** 600GB of internal data, including Personally Identifiable Information (PII) belonging to users and staff, was stolen. Attackers also destroyed some servers to disrupt system recovery and maintain anonymity. The stolen data was listed for sale and subsequently published on the dark web.
### Detection & Response
- **Detection:** Incident detected in October 2023, leading to an immediate response.
- **Response Actions:** The Library entered an 18-month "renew" phase focused on rebuilding IT infrastructure through upgrades, adaptations, and new technology purchases. The ICO reviewed the case but declined further investigation in May 2025.
## Attack Methodology
- **Initial Access:** Not explicitly detailed, but leverage of Rhysida ransomware suggests initial access via phishing, exploiting vulnerabilities, or compromised credentials.
- **Persistence:** Implied, as attackers had time to exfiltrate 600GB of data.
- **Privilege Escalation:** Not explicitly detailed, but necessary to access PII and critical systems.
- **Defense Evasion:** Implied, as the attack persisted long enough for large-scale data theft and system destruction.
- **Credential Access:** Inferred, given broad access to PII and staff data.
- **Discovery:** Inferred, required to identify and target 600GB of sensitive data.
- **Lateral Movement:** Confirmed, as systems were encrypted and servers destroyed.
- **Collection:** Theft of 600GB of internal data, including PII.
- **Exfiltration:** Data was listed for sale and then published on the dark web.
- **Impact:** Encryption of critical data/systems and destruction of some servers, resulting in significant operational disruption and data loss.
## Impact Assessment
- **Financial:** Estimated losses reached £1.6 million ($2.1m) as of March 2024.
- **Data Breach:** Theft of 600GB of internal data, including PII of users and staff.
- **Operational:** Significant disruption requiring an 18-month "renew" phase to rebuild IT infrastructure.
- **Reputational:** Public breach involving a national institution and publication of PII on the dark web.
## Indicators of Compromise
* **Note:** Specific IOCs (URLs, hashes) are not detailed in the provided text, only the threat actor group.
- **Network indicators:** N/A (Not provided)
- **File indicators:** N/A (Not provided)
- **Behavioral indicators:** Deployment of Rhysida ransomware; destruction of IT infrastructure components.
## Response Actions
- **Containment:** Not explicitly detailed, but implied necessary to stop ongoing encryption/exfiltration.
- **Eradication:** The focus shifted to an 18-month recovery plan involving building new IT infrastructure.
- **Recovery:** Initiated an 18-month "renew" phase involving upgrades, adaptations, and new technology purchases.
## Lessons Learned
- **Key Takeaways:** Ransomware attacks can result in catastrophic data loss (600GB) and long-term operational impact requiring extensive infrastructure rebuilds.
- **What could have been done better:** The article focuses on the regulator's decision rather than the organization's immediate response failures, but the severity implies known security gaps were exploited.
## Recommendations
- Implement robust, segmented backups tested for rapid restoration against ransomware encryption/destruction.
- Focus on immediate detection and isolation capabilities to limit the time attackers have for data collection prior to encryption.
- Enhance organizational resilience, as rebuilding infrastructure for a multi-year recovery presents a major ongoing operational risk.