Saturday 28 October 2023 is a date that will live long in the memory of staff at the British Library. As they arrived for work that day, they encountered chaos taking place. Servers were no longer online. Crucial systems were encrypted. And digital catalogues had disappeared altogether. A cultural institution renowned all over the world, one that looks after 170 million items spanning three millennia, had been hit by a sophisticated ransomware attack that would impact it to this day.
Yet the attack didn’t begin that Saturday morning. Two days earlier, on 25 October at 23:29, forensic logs captured the first external presence on the Library’s network. Within minutes, intruders began moving laterally, probing for weaknesses. The monitoring systems worked as designed – they detected the anomaly and blocked it. But when no repeat activity was observed, the compromised account was unblocked.
It seemed reasonable at the time, perhaps a false positive or legitimate connectivity issue. Staff couldn’t have known they were watching hostile reconnaissance by the Rhysida ransomware group positioning for its devastating strike. But by the end of 28 October, the attackers had exfiltrated approximately 440 gigabytes of data that night alone, ultimately stealing around 600 GB in total – this included staff personal information, user records and internal operational files.
And Rhysida didn’t stop at theft. They employed what cybersecurity experts call destructive tradecraft, going beyond encryption to actively destroy servers, wipe logs, and implement anti-forensic measures designed to erase their tracks and maximise the Library’s operational pain. This wasn’t just about holding data for ransom. It was about inflicting chaos and making recovery as difficult and as costly as possible.
How the Cyberattack Took Place
At no point was the British Library particularly negligent or unprepared. Instead, it was hindered by vulnerabilities shared by the majority of cultural institutions. In this respect, the attack doesn’t just represent an isolated failure – it’s a warning to the whole sector.
Cultural institutions face a perfect storm of risk factors. Operating budgets prioritise immediate public service – acquisitions, exhibitions, programmes, access – over invisible infrastructure investments. This causes technology refresh cycles to stretch indefinitely until systems become “historic” in their own right. Many major institutions have also grown through mergers and acquisitions, inheriting heterogeneous technology estates that resist rationalisation.
This open-access ethos creates inherent tension with security‘s instinct to restrict and control. Research collaborations, digitisation partnerships, content-sharing agreements, and vendor relationships create spiderwebs of access that are difficult to map, let alone secure comprehensively. Moreover, public and donor funding increasingly comes with strings attached, or targets visible programmatic work rather than unglamorous backend infrastructure. All of these factors contribute to outdated infrastructure that is vulnerable to attacks.
In the British Library’s case, the most probable entry point for the attackers was a Windows Terminal Services server designed to provide partners and administrators with remote access. The major vulnerability with this system was the lack of multi-factor authentication. The library did in fact roll out MFA for cloud systems back in 2020. But crucially, connecting to on-premise systems wasn’t included in this rollout (they were due a scheduled modernisation upgrade when the bad actors attacked).
Once inside, the attackers found a complex network shaped by institutional mergers and decades of organic growth. The Library’s technology estate reflected its history: the consolidation of different collections, the absorption of other institutions, and the accumulation of bespoke platforms built for specific purposes over time.
Older applications relied on manual processes for moving data between systems. This created duplicate copies of sensitive information scattered across multiple network shares instead of data being centrally controlled and monitored. And the flat internal network topology, lacking the segmentation that would compartmentalise different functions and restrict lateral movement, allowed attackers to roam widely once they had a foothold.
The Digital Transformation Nobody Wanted, But Everyone Needs
The attack catalysed a digital transformation that might otherwise have taken a decade – though it came at a cost no institution would voluntarily pay. The Library’s Rebuild and Renew agenda (a recovery plan initiated after the cyberattack) represents a comprehensive overhaul of infrastructure, security practices, and operational culture. Crucially, it’s a fundamental philosophy shift from accommodating legacy systems indefinitely to proactively modernising them – even when it’s painful.
So, what are some of the lessons we can take from the Library’s rebuild?
The rebuilt network now features proper segmentation so that compromising one area doesn’t automatically grant access to everything else. MFA covers not just cloud applications but also on-premise systems, with no exceptions for “special” access points or temporary solutions that become permanent. Third-party and administrative access receives particular scrutiny through privileged access management tools that provide just-in-time elevation – you get admin rights only when you need them, only for specific tasks, and only after additional verification.
Perhaps most critically, the Library has completely reimagined its backup and recovery strategy around one central assumption: modern ransomware destroys, not just encrypts. Backups are now immutable, so they cannot be altered or deleted even by someone with administrator credentials. And they’re air-gapped – physically or logically isolated from production networks so attackers can’t reach them even if they gain extensive access.
They’re also regularly tested not just for data integrity but for actual restoration under realistic failure scenarios. This represents a major shift from thinking of backup as an insurance policy to treating it as an active recovery system. The question isn’t whether you have copies of the data, but whether you can rebuild from those copies quickly enough to maintain operations.
All the technical controls in the world matter little if the people using systems aren’t equipped to recognise and respond to threats. The Library elevated mandatory cybersecurity training from mere checkbox compliance to genuine capability-building. It revised incident response playbooks that are now drilled quarterly through tabletop exercises. And most importantly, it elevated cybersecurity to a board-level strategic priority. Rather than treating it as an IT cost center competing for scraps, it now has dedicated budgets.
The Broader Stakes
We’re living through the largest transformation in how human knowledge is preserved and transmitted since the invention of the printing press. This digitisation is democratising, allowing someone in rural India to access manuscripts that once required travelling to London. It’s preservative, providing redundancy if physical originals are damaged. It’s transformative, enabling computational analysis of texts that would be impossible with physical materials alone.
But digitisation also creates profound vulnerabilities. When access to knowledge depends on operational digital infrastructure, attacks on that infrastructure become attacks on knowledge access itself. And when digital-born materials exist only in digital form – no paper backup, no physical original – their destruction means permanent loss of unique cultural heritage.
The British Library’s secure preservation copies survived the attack intact, but imagine scenarios where institutions lack such robust preservation practices, where ransomware doesn’t just lock access but actually destroys unique digital materials. It’s not hypothetical – it’s an emerging threat that keeps digital archivists awake at night.
Future attacks might not be financially motivated at all. Nation-states or extremist groups could target cultural institutions specifically to disrupt knowledge access, manipulate historical records, or inflict symbolic harm on cultural memory itself. The infrastructure we’re building to democratise access to human knowledge could become a vector for its suppression or destruction.
Safeguarding Cultural Memory
The Library’s greatest contribution may ultimately be its transparency. By publishing a candid incident review, maintaining regular public communication, and sharing lessons learned, the institution has transformed its tragedy into a teaching moment for an entire sector. Other institutions facing breaches should take note: transparency accelerates collective learning and often earns regulatory and public forbearance, while secrecy breeds suspicion and leaves peer organisations vulnerable to repeating your mistakes.
The digitisation of cultural heritage has unlocked unprecedented access to human knowledge. But it has also created unprecedented vulnerabilities. The British Library’s experience proves that safeguarding cultural memory now requires cybersecurity expertise as much as archival science, that infrastructure resilience matters as much as preservation technique, and that organisations must plan for the worst even while hoping for the best.
The ransomware attack didn’t destroy the British Library. The institution endures, its core collections remain intact, and its mission continues. But the attack revealed just how close we came, and how close countless other institutions remain to a genuine cultural catastrophe. We’ve been warned. The only question is whether we’ll act on that warning before it’s too late.
Kashif Nazir is a Senior Technical Architect at Cloudhouse. He leads multi‑cloud modernisation on AWS, Azure, GCP and on‑premises, establishing automation and application packaging practices that reduce risk and improve consistency. He partners with product and engineering across multiple Cloudhouse products to align architecture with business goals and applies practical AI to improve reliability and speed in delivery and operations. He is AWS Certified Solutions Architect - Professional.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.