British Library's candid ransomware comms driven by 'emotional intelligence' Emotional intelligence was at the heart of the British Library's widely hailed response to its October ransomware attack, according to CEO Roly Keating. The British Library's (BL) ransomware attack last year was one of the most damaging in recent memory, at least in the UK. The transparency of the organization's response over …
It wasn't me, but I'd bet they are a BL user.
Yes, the BL has done well in not paying and the status updates have improved and I'm sure it's been horrible for them too..
.. BUT..
.. it's now over six months since this, and unless something's changed in the past few days, you still can't order material to be ready for when you go to a reading room online or by email or by any other way than going to where the material isn't and asking for it to be there in several days time.
A day trip to London costs me about forty quid. That made sense if I knew the stuff I need would be ready in the reading room of my choice when I turned up. It doesn't if I have to go there just to ask for it to be there the next time I visit.
From the linked article it is apparent that they can't simply restore most of this - it depended on legacy hardware/software and with that all trashed they are basically having to start anew to create a system to do what has to be done, but hopefully in a far more secure manner.
That article also pointed out some of the reasons for this sorry state, that they were legally obliged to do certain things but without added funding, so it had to come out of budgets that ought to have been covering the refresh of core systems.
TL;DR - same as many others - too little done until too late
Otherwise known as 'if what you needed wasn't on a shelf in the reading room you were actually in, you very probably couldn't get it".
That moved to "if it wasn't somewhere in the building, you very probably couldn't get it".
I think we're still at the stage where you can now actually ask for offsite material - and an awful lot of the BL's holdings are kept offsite - but only if you schlep over to where you will want it in several days' time, because you can't request materials any other way.
That's fine if you live in London (or indeed Boston Spa) less fine if you live outside.
...available at https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf. From the executive summary:
Our major software systems cannot be brought back ... because they are no longer supported by the vendor or because they will not function on the new secure infrastructure.
and
Our cloud-based systems, including finance and payroll, have functioned normally throughout the incident.
and
Implementation [of updates and changes] will require significant changes to our applications, our culture and ways of working, and our policies and processes.
and
The challenge of rebuilding our technology infrastructure in full also brings risks of capacity and capability within our Technology department...
The cost to fix the damaged and destroyed systems far exceeds any cost to have replaced and defended them in the first place.
So many lessons to learn, so few organizations learning them...
As usual, cutbacks, cutbacks, cutbacks, and more cutbacks.
It's hard to justify spending money on "what if" when there are dozens of "need it now" things that need funding. It's not great, and things like this can be the result, but it's the reality of the situation.
"As usual, cutbacks, cutbacks, cutbacks, and more cutbacks...It's hard to justify spending money on "what if" when there are dozens of "need it now" things that need funding. It's not great, and things like this can be the result, but it's the reality of the situation."
Perhaps so, but at the start of the rear in which the attack occurred, the British Library were sitting on cash and investments of £60m. Not to mention "unrestricted funds" showing in their accounts for over a billion quid. Unlike most of the contributors to this thread, I don't think the BL deserve any credit - they not only allowed it to happen, they failed to recognise that their reliance on obsolete systems meant that data would be irretrievably lost. Emotional communication after the event means nothing.
While I agree that proactive management of obsolete systems and practices should have been done, and - probably - could have prevented this disaster, I completely disagree with your statement about the irrelevance of communication. For ANY security breach, esp. concerning public organisations and corporations, the transparent handling of this attack by the BL should be hailed as the absolute gold standard. And that is not only for feel-good, nice-reading-bro grounds: nothing is more ruthless in enforcing better systems and practices than a transparent, public look at the problems that exist.
That is a security practice in and of itself.
When was that time? In my experience, the challenges were different, but they still had them. Back before there were software limitations like all the different layers of firewalls, there were hardware ones instead. I'm unaware of any time where shifting a large subset of a larger project to something new was child's play unless it had been designed with that in mind, and in my experience custom-built systems for a company or organization were rarely designed that way because building them for the infrastructure they had now was cheaper.
The first thing that came to mind was "this application must be installed and executed with full admin rights" so frequently found in instructions and FAQS. Plenty of other examples of "turn off security and it will work" exist.
A secure by design system is completely incompatible with an insecure by design system.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
