While the world was paying attention to the British Library and Toronto ransomware attacks in late 2023, American libraries were getting hit too.

You probably didn’t hear about most of them. Some made local news. A few got brief mentions in library trade publications. But most flew under the radar. (CISA tracks ransomware incidents, but many library attacks go unreported.)

That’s a problem. Because what’s happening to U.S. libraries right now is a systematic, accelerating pattern of attacks—and most libraries still think “it won’t happen to us.”

Baker & Taylor: When Your Vendor Gets Hit, You Get Hit

August 20-21, 2022: Baker & Taylor, one of the largest book distributors serving over 5,000 public and academic libraries across North America, was hit with ransomware over the weekend.

The attack took down:

  • Title Source 360 (the ecommerce system libraries use to order materials)
  • EDI services (automated transactions with library systems)
  • Phone systems
  • Offices and service centers

For 17 days, thousands of libraries couldn’t order books.

Not a direct attack on libraries—an attack on their critical vendor. But the impact? Thousands of libraries disrupted simultaneously.

Total outage: 17 days.

Ransomware group: Never publicly identified.

Ransom payment: Baker & Taylor never disclosed whether they paid.

Why This Matters

You might think: “We don’t control our vendor’s security. What can we do?”

Here’s what you can do:

  1. Ask vendors about their cybersecurity practices before signing contracts
  2. Require vendors to notify you within 24 hours of a breach
  3. Have backup vendors identified for critical services
  4. Include cyber incident response clauses in contracts

Because when your vendor goes down, your library goes down. And you don’t get to choose the timing.

Seattle Public Library: $1 Million to Recover

May 2024: Seattle Public Library’s systems were hit with ransomware. All 27 locations were affected.

What went offline:

  • Library catalog
  • Public computers
  • Internet access
  • Internal systems
  • Website

Unlike some libraries that tried to downplay the impact, Seattle was transparent about the costs:

Consultant fees: ~$800,000

  • $400,000 for forensic investigation and ransom negotiation
  • $262,000 to restore the network and computer terminals
  • Additional consulting costs

Extra IT costs: ~$200,000

Total projected cost by year-end: $1 million

And that’s just the direct response costs. It doesn’t include lost productivity, staff overtime, patron impact, or long-term security upgrades.

What Seattle Did Right

Seattle hired forensic investigators immediately. They brought in ransom negotiators (even though they ultimately didn’t pay). They restored systems methodically instead of rushing.

But they had to spend $1 million to do it right.

Most libraries don’t have a million-dollar incident response budget sitting around. Seattle is a major urban system with resources. What happens when a small rural library system gets hit?

Library of Congress: The Attack That Didn’t Succeed

October 28, 2023 (the same day as British Library and Toronto): The Library of Congress was targeted by a cyberattack, likely by the same Rhysida group that hit the British Library.

The attack failed.

Why? Multi-factor authentication.

The hackers tried to get in through remote access credentials. But LOC had MFA enabled on that system.

The hackers couldn’t get past the second authentication factor. Attack blocked.

The $0 Incident

Library of Congress’s costs:

  • Investigation time: A few staff hours
  • Remediation: Password resets, security review
  • Recovery: $0 (because nothing was compromised)
  • Downtime: 0 hours

This is the story every library should be telling. MFA works. It’s not perfect, but it stops the vast majority of credential-based attacks.

And credential compromise is how most ransomware attacks start.

Pierce County Library System: The Attack Nobody Talked About

Timeframe: Undisclosed (reported in 2024)

Pierce County Library System in Washington State confirmed they were hacked and information was stolen.

Details about the attack? Minimal public disclosure.

What we know:

  • The system was breached
  • Data was stolen
  • The library is still determining the full scope

What we don’t know:

  • When the attack occurred
  • What ransomware group was involved
  • Whether ransom was demanded or paid
  • What data was compromised
  • How long recovery took

The Problem with Silence

I understand why libraries don’t want to talk about breaches. Negative publicity. Patron concern. Legal liability.

But the silence is making things worse.

When libraries don’t share information about attacks, other libraries don’t learn. They don’t know what to look for. They don’t know what works and what doesn’t.

The British Library published a detailed incident review. Toronto released cybersecurity reports. Seattle was transparent about costs.

That transparency helps other libraries prepare. Silence just leaves everyone vulnerable.

The Broader Pattern: Why Libraries Are Targets

Libraries are soft targets: Most run on tight budgets, rely on small IT teams, use legacy systems, have limited cybersecurity expertise.

Libraries provide critical public services: When those services go offline, there’s public pressure to restore them quickly. That pressure creates willingness to pay ransoms.

Libraries have valuable data: Patron records. Employee information. Financial data. Donor records. All of it has value.

Libraries are connected to bigger networks: Public libraries connect to municipal networks. Academic libraries connect to university systems. Compromise one library, and you might get access to city government or university research data.

Ransomware is now Ransomware-as-a-Service: Groups like Rhysida, Black Basta, LockBit operate like software companies. They develop ransomware tools, sell or license those tools to “affiliates,” and split ransom payments. This industrialization means more attacks, more sophisticated attacks, more targets.

And libraries fit the target profile perfectly.

What We’re Not Tracking (But Should Be)

We don’t have comprehensive data on library cyberattacks in the U.S.

We know about Baker & Taylor, Library of Congress attempted attack, Seattle, Pierce County. But how many more happened that didn’t make the news?

We don’t know. And that’s a problem.

The American Library Association doesn’t maintain a public database of library cyber incidents. State library agencies don’t track it comprehensively. There’s no central reporting mechanism.

Which means libraries are fighting this threat blind, without good data on attack frequency, attack methods, success rates, recovery costs, or what works for defense.

We need better information sharing. Yesterday.

What Your Library Should Do This Week

Most U.S. libraries are not prepared for a ransomware attack. But you can start getting prepared today.

Immediate actions (do these this week):

  1. Enable MFA on everything - Every system. Every user. Every vendor connection. No exceptions.
  2. Test your backups - Not “Do we have backups?” but “Can we actually restore from them?” Test a full restore.
  3. Inventory third-party access - List every vendor, contractor, or service that has network access. Then audit their security.
  4. Review your cyber insurance - Do you have it? Does it cover ransomware? What are the limits? What’s excluded?
  5. Create a communication plan - If your systems go down tomorrow, who communicates with patrons? Staff? The board? The press? Law enforcement? Write it down. Now.

Short-term actions (next 30 days):

  1. Run a tabletop exercise - Gather key staff and walk through a ransomware scenario. “It’s Monday morning. Our systems are encrypted. What do we do?” Identify gaps.
  2. Harden COVID-era systems - Any remote access, VPN, or cloud system set up during 2020-2021 needs a security review. Assume they’re vulnerable until proven otherwise.
  3. Identify incident response partners - Research and vet forensic investigation firms, cyber insurance claims specialists, and legal counsel before you need them.
  4. Train staff on phishing - Run simulated phishing exercises. Most ransomware starts with a phishing email.
  5. Review vendor contracts - Add cybersecurity requirements: Notification within 24 hours of a breach, MFA required for all access, regular security audits, indemnification for vendor-caused breaches.

Long-term actions (next 6-12 months):

  1. Budget for cybersecurity - Stop treating security as an afterthought. Library boards and funders need to understand: Cybersecurity is not optional. It’s infrastructure.
  2. Join information-sharing networks - Connect with library cybersecurity groups like LITA’s Security Interest Group. Share information. Learn from others’ incidents.
  3. Develop manual fallback procedures - Toronto kept 100 branches open without digital systems for 4 months. Can you do that? Document manual processes for circulation, reference, programming, and operations.

The Question Nobody Wants to Ask

Should libraries pay ransoms?

The official answer—from the FBI, from cybersecurity experts, from law enforcement—is no. Paying ransoms funds criminal enterprises, doesn’t guarantee you’ll get your data back, marks you as a willing payer, and may be illegal.

The British Library didn’t pay. Toronto didn’t pay. Seattle didn’t pay.

But some libraries have paid. We know this because ransomware groups publish statistics. And they count libraries among their paying customers.

So what should you do if you get hit?

Make that decision now, before an attack, with clear criteria.

Decide:

  • Under what circumstances would we consider paying?
  • Who has authority to make that call?
  • What legal and ethical review process will we follow?

Document it. Get board approval. Make it policy.

Because if you wait until you’re staring at encrypted systems and a ransom demand on your screen, you won’t make a good decision. You’ll make a panicked one.

This Isn’t Going Away

Ransomware attacks on the education sector (which includes libraries) surged dramatically. While comprehensive library-specific statistics aren’t available due to lack of central reporting, cybersecurity firms document significant increases:

  • Education sector ransomware attacks increased 84 percent between 2022-2023
  • Libraries represented a growing target within that sector
  • Government-related entities (including public libraries) are increasingly targeted

We don’t have precise library-specific statistics because there’s no mandatory reporting mechanism. Many smaller library breaches never make the news. But the documented cases—Baker & Taylor, British Library, Toronto, Seattle, Pierce County—represent just the tip of the iceberg.

And 2025 showed no signs of slowing down. If anything, attacks are accelerating.

The British Library and Toronto attacks were wake-up calls. But most libraries hit the snooze button.

Don’t be one of them.

Go enable MFA on every system. Test your backups. Report incidents when they happen.

Authenticity note: With the exception of images, this post was not created with the aid of any LLM product for prose or description. It is original writing by a human librarian with opinions.