Home » Learn » Key resilience lessons: What can we learn from the British Library cyber attack?

Key resilience lessons: What can we learn from the British Library cyber attack?

Holding more than 170 million items, the British Library is one of the world’s most important knowledge institutions and the custodian of the UK’s published record. 

When it was hit by a ransomware attack in October 2023, the shortcomings of its ageing legacy infrastructure were laid bare, with services severely disrupted and a costly recovery still ongoing more than 2 years later. 

What makes the incident stand out is not just the scale of the impact, but the Library’s decision to publish a detailed review, offering rare insight into how a major cyber attack unfolds and what other organisations can learn from it. 

We’ve explored the attack in depth in our full Anatomy of a Crisis report. In this blog, Databarracks Managing Director, James Watts, and Deputy Resilience Director, Charlie Maclean-Bristol, share their thoughts on the attack and 6 key lessons organisations should take away. 

 

What happened? 

Attackers from the Rhysida group are believed to have gained entry to the Library’s network through a remote access server without multi-factor authentication. 

Moving laterally through the network, they exfiltrated around 600GB of data before encrypting systems and destroying large parts of the server estate in their wake. 

When the Library refused to pay a 20 bitcoin ransom – worth around £600,000 at the time – the stolen data was published on the dark web. 

The nature of the attack, coupled with the Library’s unrestorable legacy infrastructure, meant that recovery required a full rebuild of core systems. This led to the launch of the Rebuild & Renew programme – a phased approach to recovery, allowing the Library to restore services through interim solutions while rebuilding core systems in parallel. 

Around 5 months after the attack, the Library published a detailed Cyber Incident Review. While the Library’s response and decision to publish such a transparent account have been commended by the National Cyber Security Centre (NCSC), recovery has extended beyond the planned completion date of July 2025, and costs have reached at least £7 million. 

Key resilience lessons 

Lesson 1: Close gaps in identity and access control 

The Library’s review concluded that the most likely entry point was a remote access server without multi-factor authentication. While MFA had been introduced across the organisation in 2020, not all systems were covered.  

As the Library found out at great cost, when basic controls fail, the impact is disproportionate. 

The Library had identified the lack of MFA on the domain as a risk, but some systems were placed out of scope for reasons of practicality, cost and impact on ongoing programmes.

With the benefit of hindsight, this seems an obvious mistake. The cost and effort of implementing MFA would have been negligible compared to the disruption and £7 million recovery that followed.

The Library says it had plans in place to implement additional protections, but the attack arrived before they could be rolled out. That’s a common position – the work is identified but loses out to competing priorities.

James Watts

Lesson 2: Actively manage legacy technology risk 

Legacy systems are harder to secure and, as the attack on the British Library makes clear, harder to recover. 

The Library pointed to legacy infrastructure as the “primary contributor” to the severity of the impact. 

In a 50-year-old organisation like the British Library, the burden of legacy technology runs through everything. It affected how far the attackers could move, and it made recovery far more complex. Some systems simply couldn’t be restored at all, which meant they had to be replaced.

We tend to think about legacy systems in terms of maintenance and security, but this shows the bigger issue is recoverability. Over time, that technical debt builds up – the baggage gets heavier and becomes a major factor in how well you can respond when something goes wrong.

James Watts

Many of the systems couldn’t be brought back in their pre-attack form because they were no longer supported or wouldn’t work on the new infrastructure – something also seen in the NHS during WannaCry, where reliance on unsupported legacy systems hampered recovery.

If you can’t restore systems as they were, you’re rebuilding them from scratch. As the Library identified in its report, this more than anything else is what slowed down recovery.

Like the Scottish Environment Protection Agency (SEPA) after its cyber attack in 2020, the British Library used the incident as an opportunity to ‘build back better’.

Charlie Maclean-Bristol

Lesson 3: Design systems to limit the impact of a breach 

With proper network segmentation in place, the Library could have limited the spread of the attack and reduced its overall impact. 

The Library’s network topology allowed attackers to move laterally and access more systems than they should have been able to. That had a huge bearing on the impact.

Segmentation limits how far an attacker can move, reduces the amount of data they can access and puts you in a much better position to contain the breach before it escalates.

The Library has spoken about prioritising a ‘defence in depth’ approach in its rebuild, and network segmentation is key to that.

James Watts

Lesson 4: Prioritise recovery capability 

Most organisations will face a successful breach at some point. When they do, the outcome is down to their ability to recover.  

Investment in prevention is critical, but so is investment in recovery. 

You have to assume that, at some point, an attack will succeed. Prevention often gets top billing in cyber security, but recovery capability and what happens ‘right-of-breach’ is just as important.

Organisations need to be confident they can recover, with air-gapped and immutable backups and tested processes to restore systems quickly and safely.

James Watts

Lesson 5: Test and exercise response and recovery plans 

Every cyber attack is a reminder of the value of testing and exercising. 

The Library’s review highlighted its importance and singled out the need to practise scenarios involving the “total outage of all systems.” 

In the Databarracks Data Health Check, which surveys 500 UK organisations, testing and exercising plans is the most-cited way to boost confidence in continuity and improve recovery from cyber attacks. 

When the Library opened on the Monday after the attack, core digital services were down, and staff fell back on manual workarounds to keep operations running. Was this something they had prepared for? You would hope so, but in practice, many organisations fail to exercise the more extreme scenarios where critical systems are down for extended periods.

In a major incident, that’s exactly what happens. Organisations need to be ready to operate in a degraded state and assume it will happen at the worst possible time.

The attack on the British Library was discovered at 7:35 on a Saturday morning – a time when staffing is low and exposure is high. We’ve seen the same pattern elsewhere – for M&S, it was the Easter weekend, while for SEPA, it was Christmas Eve.

Testing and exercising makes a real difference to outcomes when it’s done properly. That means running realistic scenarios, involving the right people and regularly validating that plans work under pressure.

Charlie Maclean-Bristol

Lesson 6: Help build collective resilience by sharing insights 

Most organisations share very little after a cyber attack, which limits how much others can learn from it. 

The British Library took a different approach, publishing a detailed review on 8 March 2024 that set out what happened and where things went wrong. It was strongly commended by the NCSC and the Information Commissioner’s Office (ICO). 

The British Library’s Cyber Incident Review is a rare, in-depth account of a major ransomware attack. The default position for most organisations is to disclose as little as possible, and that’s understandable. From the victim’s perspective, there’s little to gain from sharing information, and in some cases, they’re explicitly advised not to by their insurers.

However, when a report like this does come out, it’s of huge value to others and helps build collective resilience against future attacks.

What stands out here is the openness, particularly where it highlights the Library’s own faults. It’s a fascinating report that I’d recommend everyone involved in cyber risk read in full.

James Watts

Most organisations don’t like to share their lessons, or when they do, they mainly do so behind closed doors, so it’s rare to get this level of detail in the public domain. 

This is one of the best publicly available cyber incident reports, but there are others worth looking at too, including from SEPA, the Western Isles Council and Gloucester City Council. These kinds of accounts give real insight into how incidents unfold and what recovery actually looks like in practice.  

Publishing the report makes the attack no less catastrophic for the British Library, but at least this way, other organisations can benefit from their experience and take steps to avoid a similar fate.

Charlie Maclean-Bristol

Closing Insight

There’s a lot to learn from this attack, and much of the deepest insight has been set out by the Library itself. Public sector organisations, and especially those in the GLAM (galleries, libraries, archives and museums) sector, should take note so they don’t make the same mistakes. The British Library wasn’t uniquely vulnerable. In fact, it’s likely many of its peers would have fared worse. The opportunity now is to take these lessons seriously and act on them. 

It also challenges the idea of ‘security through obscurity’ – the belief that organisations like the British Library simply aren’t likely targets. The reality is that many cultural organisations are in the crosshairs because attackers see the potential for ‘maximum leverage’ against ‘minimum resistance’ – valuable data, combined with constrained budgets and ageing infrastructure. 

That’s why cyber security can’t be treated as a supporting function. For any organisation, it’s now a core operational responsibility. For those in the GLAM sector, it’s central to custodianship – protecting not just the collection, but the systems that make it accessible.

James Watts

Most elements of this attack will be familiar. It followed a pattern we see time and again – attackers striking at the most inconvenient time, using double extortion with data exfiltrated and systems encrypted, and leaving organisations to operate without core systems. 

The response challenges are familiar too. With the website and intranet down, the Library had to rely on channels like social media, email and WhatsApp to communicate, something we’ve seen in other incidents, including during the attack at Dundee and Angus College. 

The attack methods, the response challenges and the recovery constraints are not unique. They’re repeatable patterns. That means they can be planned for. Organisations shouldn’t wait to experience this first-hand to understand it. The detail is already available. The task is to turn that understanding into preparation, building the capability to respond, operate under disruption and recover effectively.

Charlie Maclean-Bristol

Go deeper: from insight to action 

This blog covers the key lessons. Our full Anatomy of a Crisis report goes deeper, with a detailed timeline and full breakdown of the response and recovery.  

Alongside this, we run Cyber Recovery Wargames based on real-world incidents like the British Library attack. These sessions put your leadership team under pressure, helping you rehearse decisions, test assumptions and identify gaps before a real crisis exposes them. 

Download the report and explore our Cyber Recovery Wargames programme to start strengthening your resilience.