Two Libraries, One Day, Two Ransomware Gangs: What Happened

October 28, 2023: Two of the world’s most prominent libraries got hit with ransomware attacks on the same day.

The British Library in London and Toronto Public Library in Canada both detected suspicious activity on their networks that Saturday. Both were targeted by sophisticated ransomware groups. Both refused to pay. Both spent months recovering.

This wasn’t a coincidence. This was coordinated. And it exposed just how vulnerable libraries are.

British Library: The Timeline

Saturday, October 28, 2023, 11:29 PM GMT: Security systems detected the first evidence of an external presence. Two minutes later, at 11:32 PM, attackers began moving through the network. (They were in for less than three minutes before security noticed. This was the closest the British Library came to preventing catastrophe.)

Early hours of Sunday: A security manager received an alert about suspicious activity. They investigated, blocked the activity, escalated it. Seemed like a win. They reset the password on the compromised account and moved on.

This was, in retrospect, a catastrophic mistake. That “suspicious activity”? The Rhysida ransomware gang doing reconnaissance—mapping the network like they were shopping for furniture, identifying valuable targets, planning their attack. The British Library had caught them in the act and then let them go.

Sunday, October 29: The British Library disclosed an IT outage.

Tuesday, October 31: They confirmed the disruption was a cyber attack.

November 16: They confirmed this was ransomware—digital extortion.

November 20: Rhysida publicly claimed responsibility and launched a week-long auction for 490,191 stolen files on the dark web. Opening bid: 20 bitcoin—approximately £596,000.

November 27: The British Library refused to pay. Rhysida released approximately 600GB of stolen data publicly—90% of what they’d taken.

The data included:

Personal information on library users
Employee records (names, addresses, social insurance numbers dating back to 1998)
Internal documents and communications
Sensitive institutional information

How Rhysida Got In

The attack exploited a Terminal Services server installed in February 2020 to facilitate remote access for third-party contractors during COVID-19. (That’s the problem right there. “During COVID” was four years ago. This server had been sitting there unchanged, unaudited, unpatched, like a forgotten Tupperware container in the back of the fridge.)

The attackers likely used:

Phishing or spear-phishing to compromise third-party credentials (contractors who didn’t know better)
Brute-force attacks against accounts without multi-factor authentication (which is the password guessing equivalent of trying every key on your unlocked keychain)
Lateral movement through the network once inside (spreading like infection, with zero resistance)

Once in, Rhysida identified and exfiltrated 600GB of documents—which is a LOT of documents. Then they destroyed servers to inhibit system recovery and forensic analysis. Insurance policy against getting caught. Textbook ransomware tactics: Get in, steal everything valuable, encrypt critical systems, destroy evidence, demand payment, and retire with your share of the ransom money.

Toronto Public Library: Same Day, Different Gang

While the British Library was being breached, Toronto Public Library detected their own attack—also on October 28, 2023.

Toronto’s attack was carried out by the Black Basta ransomware gang, a different group from Rhysida but equally sophisticated.

October 28, 2023: Suspicious activity detected. The unauthorized party encrypted certain networks and stole files.

Within 24 hours: TPL contained the incident and shut down affected systems.

But the damage was done. The attack:

Shut down the internal network
Took down the library website
Disabled all public computers across 100 branches
Locked out patrons from online accounts
Froze the ability to check out, return, or renew materials digitally

TPL didn’t pay the ransom. Like the British Library, they refused to fund criminal activity.

The Data Breach Impact

Black Basta stole personal information on current and former Toronto Public Library employees and TPL Foundation staff dating back to 1998, including:

Names
Social insurance numbers
Government identification
Home addresses

TPL provided credit monitoring to those affected. Fortunately, cardholder and donor databases were not compromised.

The Recovery: Months of Chaos

Both libraries kept their physical doors open. Both provided limited services. But the digital disruption was catastrophic.

British Library Recovery Timeline:

Late October - December 2023: Systems offline. Staff working on crisis response.

December 2023: British Library launched “Rebuild & Renew,” an 18-month recovery program budgeted at £6-7 million (about 40% of their financial reserves).

January 15, 2024: Main catalog returned online in read-only format—78 days after the attack.

Mid-April 2024: Infrastructure rebuild completed. Full restoration of systems and data began.

March 2025: Some services still not fully restored, 17 months after the attack.

Toronto Public Library Recovery Timeline:

October 28 - December 2023: All 100 branches remained open for in-person services, but with no digital access for patrons.

November-December 2023: Over one million returned items couldn’t be processed. TPL stored them in twelve 53-foot tractor trailers.

Early January 2024: Staff began manually processing the backlog—a million books that needed to be checked in and reshelved.

Early February 2024: Computer services started coming back online.

Late February 2024: Staff finally finished putting the million stranded books back on shelves.

Early March 2024 (4+ months post-attack): Nearly all services restored, including online accounts, catalog searches, holds, and renewals.

The Financial Toll

British Library:

£6-7 million in recovery costs
40% of financial reserves depleted
Ongoing costs for system modernization
Delays in Public Lending Right payments to authors
Suspension of fellowship programs
Lost research productivity (incalculable)

Toronto Public Library:

Exact costs not publicly disclosed
Credit monitoring for affected employees
Manual labor costs (staff manually processing millions of transactions)
System rebuild and security upgrades
Lost productivity and service interruptions

Neither library paid the ransom. Both paid far more in recovery costs.

What We Learned (The Hard Way)

The British Library published a detailed incident review in March 2024. Toronto’s Information and Privacy Commissioner also issued findings. Here’s what these attacks taught us:

1. Multi-Factor Authentication Isn’t Optional

The British Library’s Terminal Services server—the entry point for the attack—didn’t have MFA enabled for third-party contractors.

Meanwhile, the Library of Congress was targeted on the same day by what appears to be the same group. They were successfully defended against. The British Library had no MFA on remote access. The Library of Congress did. Draw your own conclusions.

That’s potentially the difference between a £7 million disaster and a blocked attack.

2. COVID Infrastructure Is Still Haunted

Both attacks exploited systems hastily set up during COVID-19 to enable remote work. The British Library’s Terminal Services server from February 2020. Toronto’s remote access systems.

These were emergency measures that became permanent—without the security hardening they needed.

If your library stood up remote access systems in 2020 and hasn’t reviewed their security since… you’re vulnerable.

3. Third-Party Access Is Your Weakest Link

The British Library breach started with compromised third-party contractor credentials.

Think about how many vendors have access to your library’s network:

ILS providers
Database vendors
IT support contractors
Cataloging services
Cleaning companies using IoT devices

Each one is a potential entry point. And most library vendor contracts don’t include strong security requirements.

4. Detection Isn’t Enough—You Need Response

The British Library detected the initial suspicious activity. Their security manager got an alert. They investigated.

But they didn’t recognize it as reconnaissance for a larger attack. They reset the password and moved on.

Detection is useless without the expertise to interpret what you’re seeing and the authority to act decisively.

5. Ransomware Groups Are Coordinated and Patient

The fact that two major libraries were hit on the same day—by different groups—suggests coordination or at least shared intelligence.

Rhysida and Black Basta both:

Spent time mapping networks before encryption
Exfiltrated massive amounts of data
Destroyed recovery infrastructure
Demanded ransoms
Released stolen data when ransom wasn’t paid

This isn’t random opportunistic hacking. This is organized criminal enterprise with business models, marketing, and strategic targeting.

6. Recovery Takes Months, Not Weeks

Both libraries had incident response plans. Both had backups. Both had professional IT teams.

It still took 4+ months to restore services.

Why? Because ransomware attacks don’t just encrypt files—they destroy the infrastructure you need for recovery. Servers, backups, security logs. Everything.

And rebuilding means:

Forensic investigation (what did they access?)
Malware removal (are they still in the network?)
Infrastructure rebuild (from scratch, assuming everything is compromised)
Data restoration (from backups, if they’re intact)
Security hardening (fixing what allowed the breach)
Service restoration (bringing systems back online safely)

Each step takes weeks. You can’t skip steps or rush without risking reinfection.

7. The Financial Impact Goes Beyond Tech Costs

The British Library:

Lost research productivity (scholars couldn’t access materials)
Delayed author payments (Public Lending Right system was down)
Canceled fellowship programs
Suffered reputational damage

Toronto Public Library:

Hundreds of staff hours manually checking in a million books
Lost patron trust (personal data stolen)
Community impact (digital divide widened when public computers went offline)

The spreadsheet costs are bad enough. The intangible costs are worse.

The Questions Your Library Needs to Answer Right Now

If the British Library and Toronto Public Library—two well-funded, professionally staffed institutions—can be crippled for months, what chance does your library have?

Ask yourself:

1. Do all your systems require multi-factor authentication? Not just for staff. For contractors. For vendors. For remote access. For everything.

2. Have you reviewed security on systems set up during COVID? If you stood up remote access, VPNs, or cloud systems in 2020-2021 as emergency measures, have they been properly secured since?

3. What third-party access do you have to your network? Make a list. Every vendor. Every contractor. Every system integration. Then ask: Do we trust their security?

4. Can you detect AND interpret suspicious activity? Do you have security monitoring? Do you have someone who can recognize reconnaissance activity? Do they have authority to lock things down immediately?

5. Are your backups actually restorable? When’s the last time you tested a full system restore from backup? Not just “Do the backups exist?” but “Can we actually restore from them?”

6. What’s your incident response plan? Who makes decisions during a breach? How do you communicate with patrons? Staff? The public? Law enforcement? Do you have contracts with forensic investigators ready to go?

7. How long can you operate with systems down? Toronto kept 100 branches open without digital systems for 4 months. Could you do that? Do you have manual processes documented and ready?

What You Should Do This Month

Don’t wait for a wake-up call like British Library and Toronto got.

If You Have Zero Budget (Free/Low-Cost Actions):

Week 1:

Enable MFA on ALL systems (free with most email/cloud services)
Inventory all third-party access to your network (spreadsheet exercise, no cost)
Test your backups (time investment only—critical to confirm they actually work)

Week 2:

Audit COVID-era systems for security gaps
Document manual processes for operating without digital systems
Join MS-ISAC (Multi-State Information Sharing and Analysis Center—FREE security services for state/local governments including libraries)

Week 3:

Create a one-page incident response plan (who calls who, who talks to press, who contacts law enforcement)
Identify free/low-cost partners: Community college IT programs, state library IT support, regional consortia
Run a 90-minute tabletop exercise with staff: “What if our systems went down tomorrow?”

Week 4:

Use free phishing training from CISA, KnowBe4 (free tier), or state library associations
Review your insurance (do you have cyber coverage? What’s covered?)
Brief leadership using the British Library/Toronto/Seattle examples ($7M, $1M costs)

If You Have $10K-50K Budget:

Add these to the above:

Cyber insurance ($15K-25K annual premium for mid-sized library)
One-time security audit ($10K-20K from regional IT firm or state consortium)
Backup system upgrade (air-gapped or immutable backups)
Retainer agreement with incident response firm

If You Have $50K+ Budget:

Add these:

Managed security services (outsourced security monitoring)
Comprehensive pen testing
Staff cybersecurity training program (ongoing, not one-time)

The Uncomfortable Truth

The British Library and Toronto Public Library attacks weren’t anomalies. They were a preview.

Libraries are targets because:

They have valuable data (patron information, employee records, institutional knowledge)
They provide critical public services (pressure to pay ransoms)
They’re underfunded for cybersecurity (easy targets)
They have lots of third-party integrations (many entry points)

And ransomware groups know this.

October 28, 2023 wasn’t the end. It was the beginning. Baker & Taylor in August 2022. Seattle Public Library in May 2024. The Library of Congress targeted (but defended) in October 2023.

The attacks are increasing. The groups are getting more sophisticated. And libraries are woefully unprepared.

Don’t let yours be next.

Resources:

Authenticity note: With the exception of images, this post was not created with the aid of any LLM product for prose or description. It is original writing by a human librarian with opinions.