Two Libraries, One Day, Two Ransomware Gangs: What the British Library and Toronto Public Library Attacks Tell Us - Unhinged Librarian

The British Library in London and Toronto Public Library in Canada both detected suspicious activity on their networks that Saturday. Both were targeted by sophisticated ransomware groups. Both refused to pay. And both spent months recovering.

This wasn't a coincidence. It was a coordinated attack on library infrastructure, and it exposed just how vulnerable libraries are.

Let me walk you through what actually happened, what we learned, and why your library needs to pay attention.

British Library: The Attack Timeline

Saturday, October 28, 2023, 11:29 PM GMT: The British Library's security systems detected the first evidence of an external presence on their network. Two minutes later, at 11:32 PM, attackers began moving through the network.

Early hours of Sunday, October 29: A security manager received an alert about suspicious activity. The activity was blocked and escalated for investigation. No further malicious activity was detected, and the compromised account was unblocked after a password reset.

This was a mistake. That "suspicious activity" was the Rhysida ransomware gang performing reconnaissance. They were mapping the network, identifying valuable targets, and planning their attack.

Sunday, October 29: The British Library disclosed an IT outage.

Tuesday, October 31: The library confirmed the disruption was due to a cyber attack.

November 16: The library confirmed this was a ransomware attack, an attempt at digital extortion.

November 20: Rhysida publicly claimed responsibility and launched a week-long auction for 490,191 stolen files on the dark web. They set the opening bid at 20 bitcoin, approximately 596,000 pounds at the time.

November 27: The British Library refused to pay. In response, Rhysida released approximately 600GB of stolen data publicly on the dark web. That was 90% of what they'd taken.

The data included:

• Personal information on library users
• Employee records (names, addresses, social insurance numbers dating back to 1998)
• Internal documents and communications
• Sensitive institutional information

How Rhysida Got In

Investigations revealed the attack exploited a Terminal Services server that had been installed in February 2020 to facilitate remote access for third-party contractors during COVID-19.

The attackers likely used:

• Phishing or spear-phishing to compromise third-party credentials
• Brute-force attacks against accounts without multi-factor authentication
• Lateral movement through the network once inside

Once in, Rhysida used three methods to identify and exfiltrate 600GB of documents. Then they destroyed servers to inhibit system recovery and forensic analysis.

This is textbook ransomware tactics: Get in, steal everything valuable, encrypt critical systems, destroy evidence, demand payment.

Toronto Public Library: The Same Day, A Different Gang

While the British Library was being breached, Toronto Public Library detected their own attack. Also on October 28, 2023.

Toronto's attack was carried out by the Black Basta ransomware gang, a different group from Rhysida but equally sophisticated.

October 28, 2023: Suspicious activity detected on TPL's network. The unauthorized party encrypted certain networks and stole files from the file server.

Within 24 hours: TPL contained the incident and shut down affected systems.

But the damage was done. The attack:

• Shut down the library's internal network
• Took down the library website
• Disabled all public computers across 100 branches
• Locked out patrons from online accounts
• Froze the ability to check out, return, or renew materials digitally

TPL didn't pay the ransom. Like the British Library, they refused to fund further criminal activity.

The Data Breach Impact

Black Basta stole personal information on current and former Toronto Public Library employees and TPL Foundation staff dating back to 1998, including:

• Names
• Social insurance numbers
• Government identification
• Home addresses

TPL provided credit monitoring services to those affected. Fortunately, cardholder and donor databases were not compromised.

The Recovery: Months of Chaos

Both libraries kept their physical doors open. Both provided limited services. But the digital disruption was catastrophic.

Board asking about security funding?

Late October - December 2023: Systems offline. Staff working on crisis response.

December 2023: British Library launched "Rebuild & Renew," an 18-month recovery program budgeted at £6-7 million (about 40% of their financial reserves).

January 15, 2024: Main catalog returned online in read-only format. That was 78 days after the attack.

Mid-April 2024: Infrastructure rebuild completed. Full restoration of systems and data began.

March 2025: Some services still not fully restored, 17 months after the attack.

Toronto Public Library Recovery Timeline:

October 28 - December 2023: All 100 branches remained open for in-person services, but with no digital access for patrons.

November-December 2023: Over one million returned items couldn't be processed. TPL stored them in twelve 53-foot tractor trailers.

Early January 2024: Staff began manually processing the backlog. A million books that needed to be checked in and reshelved.

Early February 2024: Computer services started coming back online.

Late February 2024: Staff finally finished putting the million stranded books back on shelves.

Early March 2024 (4+ months post-attack): Nearly all services restored, including online accounts, catalog searches, holds, and renewals.

The Financial Toll

British Library:

• £6-7 million in recovery costs
• 40% of financial reserves depleted
• Ongoing costs for system modernization
• Delays in Public Lending Right payments to authors
• Suspension of fellowship programs
• Lost research productivity (incalculable)

Toronto Public Library:

• Exact costs not publicly disclosed
• Credit monitoring for affected employees
• Manual labor costs (staff manually processing millions of transactions)
• System rebuild and security upgrades
• Lost productivity and service interruptions

Neither library paid the ransom. Both paid far more in recovery costs.

What We Learned (The Hard Way)

The British Library published a detailed incident review in March 2024. Toronto's Information and Privacy Commissioner also issued findings. Here's what these attacks taught us:

1. Multi-Factor Authentication Isn't Optional

The British Library's Terminal Services server, the entry point for the attack, didn't have MFA enabled for third-party contractors.

Meanwhile, the Library of Congress was targeted in a parallel attack on the same day by the same Rhysida group. LOC wasn't breached. Why? They had MFA enabled.

That's the difference between a £7 million disaster and a blocked attack. MFA is often free with existing systems like Microsoft 365 or Google Workspace.

2. COVID Infrastructure Is Still Haunted

Both attacks exploited systems hastily set up during COVID-19 to enable remote work. The British Library's Terminal Services server from February 2020. Toronto's remote access systems.

These were emergency measures that became permanent without the security hardening they needed.

If your library stood up remote access systems in 2020 and hasn't reviewed their security since... you're vulnerable.

3. Third-Party Access Is Your Weakest Link

The British Library breach started with compromised third-party contractor credentials.

Think about how many vendors have access to your library's network:

• ILS providers
• Database vendors
• IT support contractors
• Cataloging services
• Cleaning and maintenance companies using IoT devices

Each one is a potential entry point. And most library vendor contracts don't include strong security requirements.

4. Detection Isn't Enough. You Need Response.

The British Library detected the initial suspicious activity. Their security manager got an alert. They investigated.

But they didn't recognize it as reconnaissance for a larger attack. They reset the password and moved on.

Detection is useless without the expertise to interpret what you're seeing and the authority to act decisively.

5. Ransomware Groups Are Coordinated and Patient

The fact that two major libraries were hit on the same day, by different groups, suggests coordination or at least shared intelligence.

Rhysida and Black Basta both:

• Spent time mapping the networks before encryption
• Exfiltrated massive amounts of data
• Destroyed recovery infrastructure
• Demanded ransoms
• Released stolen data when ransom wasn't paid

This isn't random opportunistic hacking. This is organized criminal enterprise with business models, marketing, and strategic targeting.

6. Recovery Takes Months, Not Weeks

Both libraries had incident response plans. Both had backups. Both had professional IT teams.

It still took 4+ months to restore services.

Why? Because ransomware attacks don't just encrypt files. They destroy the infrastructure you need for recovery. Servers, backups, security logs. Everything.

And rebuilding means:

• Forensic investigation (what did they access?)
• Malware removal (are they still in the network?)
• Infrastructure rebuild (from scratch, assuming everything is compromised)
• Data restoration (from backups, if they're intact)
• Security hardening (fixing what allowed the breach)
• Service restoration (bringing systems back online safely)

Each step takes weeks. And you can't skip steps or rush without risking reinfection.

7. The Financial Impact Goes Beyond Tech Costs

The British Library:

• Lost research productivity (scholars couldn't access materials)
• Delayed author payments (Public Lending Right system was down)
• Canceled fellowship programs
• Suffered reputational damage

Toronto Public Library:

• Hundreds of staff hours spent manually checking in a million books
• Lost patron trust (personal data stolen)
• Community impact (digital divide widened when public computers went offline)

The spreadsheet costs are bad enough. The intangible costs are worse.

The Questions Your Library Needs to Answer Right Now

If the British Library and Toronto Public Library, two well-funded, professionally staffed institutions, can be crippled for months, what chance does your library have?

Ask yourself:

1. Do all your systems require multi-factor authentication?
Not just for staff. For contractors. For vendors. For remote access. For everything.

2. Have you reviewed security on systems set up during COVID?
If you stood up remote access, VPNs, or cloud systems in 2020-2021 as emergency measures, have they been properly secured since?

3. What third-party access do you have to your network?
Make a list. Every vendor. Every contractor. Every system integration. Then ask: Do we trust their security?

4. Can you detect AND interpret suspicious activity?
Do you have security monitoring? Do you have someone who can recognize reconnaissance activity? Do they have authority to lock things down immediately?

5. Are your backups actually restorable?
When's the last time you tested a full system restore from backup? Not just "Do the backups exist?" but "Can we actually restore from them?"

6. What's your incident response plan?
Who makes decisions during a breach? How do you communicate with patrons? Staff? The public? Law enforcement? Do you have contracts with forensic investigators ready to go?

7. How long can you operate with systems down?
Toronto kept 100 branches open without digital systems for 4 months. Could you do that? Do you have manual processes documented and ready?

What You Should Do This Month

Don't wait for a wake-up call like the one British Library and Toronto Public Library got.

If You Have Zero Budget (Free/Low-Cost Actions):

Week 1:

• Enable MFA on ALL systems (free with most email/cloud services like Microsoft 365, Google Workspace)
• Inventory all third-party access to your network (spreadsheet exercise, no cost)
• Test your backups (time investment only, but critical to confirm they actually work)

Week 2:

• Audit COVID-era systems for security gaps (if you set up remote access in 2020, review it now)
• Document manual processes for operating without digital systems (write down how to check out books manually, run programs offline)
• Join MS-ISAC (Multi-State Information Sharing and Analysis Center, which offers FREE security services for state/local governments including libraries)

Week 3:

• Create a one-page incident response plan (who calls who, who talks to press, who contacts law enforcement)
• Identify free/low-cost partners: Community college IT programs, state library IT support, regional consortia
• Run a 90-minute tabletop exercise with staff: "What if our systems went down tomorrow?"

Week 4:

• Use free phishing training from CISA, KnowBe4 (free tier), or state library associations
• Review your insurance (do you have cyber coverage? What's covered?)
• Brief leadership using the British Library/Toronto/Seattle examples ($7M, $1M costs)

If You Have $10K-50K Budget:

Add these to the above:

• Cyber insurance ($15K-25K annual premium for mid-sized library)
• One-time security audit ($10K-20K from regional IT firm or state consortium)
• Backup system upgrade (air-gapped or immutable backups)
• Retainer agreement with incident response firm (pay for hours as needed)

If You Have $50K+ Budget:

Add these:

• Managed security services (outsourced security monitoring)
• Comprehensive pen testing (identifies vulnerabilities)
• Staff cybersecurity training program (ongoing, not one-time)

The Uncomfortable Truth

The British Library and Toronto Public Library attacks weren't anomalies. They were a preview.

Libraries are targets because:

• They have valuable data (patron information, employee records, institutional knowledge)
• They provide critical public services (pressure to pay ransoms)
• They're underfunded for cybersecurity (easy targets)
• They have lots of third-party integrations (many entry points)

And ransomware groups know this.

October 28, 2023 wasn't the end. It was the beginning. Baker & Taylor in August 2022. Seattle Public Library in May 2024. The Library of Congress targeted (but defended) in October 2023.

The attacks are increasing. The groups are getting more sophisticated. And libraries are woefully unprepared.

Don't let yours be next.