On Saturday 28 October 2023, the British Library was affected by a significant ransomware cyber-attack that compromised many the library’s online systems. The British Library has recently chosen to published a report about the cyber-attack stating that “Our hope is that doing this will help other organisations to plan and protect themselves against attacks of this kind”.1
The impact of this attack on the British Library has been significant. It includes the destruction of servers which is hindering recovery and the rebuilding of the library’s technological infrastructure. Naomi Korn Associates wish to extend our appreciation to the British Library for sharing this learning, but also our compassion to those staff working at the British Library or any data subject affected by the breach. All too often the impact on individuals is missed both in terms of job security, stress at work and risk of identity theft.
Smaller libraries and institutions may feel that an attack of this scale would never happen to them; however, even small organisations can process large amount of valuable personal data. Cultural heritage organisations often hold sensitive information about collections, donors, and visitors, making them attractive targets for cybercriminals. The impact of an attack can be significant, leading to the loss of public trust, financial damage, and the potential loss of irreplaceable historical records.
Smaller organisations are likely to have less resources to protect themselves and should carefully consider what the impact could be of such an attack and if there is more, they can do to protect their organisation and the privacy of the people whose data they handle.
The report includes some sector-wide lessons including:
- Ensure you have multi-factor authentication (MFA) enabled: MFA is the concept of using authentication using two or more factors (such as a mobile device or pass code2). Ask your IT provider whether this is in place across your infrastructure.
- Training your staff: The report states: a “significant culture change needed to fully embed cyber security”. There is free e-learning available from the National Cyber-Security Centre http://www.ncsc.gov.uk or organisations can procure other options.
- Manage third parties: Organisations should have a comprehensive understanding which third parties have access to their infrastructure and systems. The British Library said that “a review of security provisions relating to the management of third parties was planned for 2024…..Unfortunately, the attack occurred before these necessary pre-requisites for this work were completed.”3
- Ensure your security is adequate: A key principle of the General Data Protection Regulation (UK GDPR) is that organisations have ‘appropriate technical and organisational measures’. The absence of Multi-Factor Authentication (MFA) will be viewed as an aggravating factor by the Information Commissioner’s Office (ICO) if they decide to impose fines related to this data breach. One way to ensure you have adequate security measures is to procure a “cyber/information security audit” from a third party.
- Do not pay any ransom fees: These kind of attacks are often followed up by a request for payment to release the data: “The Library has not made any payment to the criminal actors responsible for the attack, nor engaged with them in any way….the UK’s national policy, articulated by NCSC, is unambiguously clear that no such payments should be made”.4
- Have a plan: This strategic plan should detail the procedures for immediate action following a cyber-security incident, including the designation of a response coordinator to lead your organisation’s efforts.
- Know where to go for help: Identify external support resources, such as the National Cyber Security Centre (NCSC), which can provide expert guidance and assistance in managing the situation effectively or external consultants such as Naomi Korn Associates.
For anyone concerned about whether their own personal data was compromised you can find out more here: Cyber incident update | The British Library (bl.uk) or get advice from sources including: Get Safe Online | The UK’s leading Online Safety Advice Resource
In addition, the NCSC has a wealth of information for individuals and organisations about staying safe online. The NCSC provided early advice on incident handling, including communications strategy to the British Library.
Naomi Korn Associates is a UK-based leader specialising in copyright, data protection, and licensing. Since 2003 we have worked with the cultural heritage, charity, education and private sectors and the creative industries across the UK and internationally.
We can provide your organisation with:
- Staff training
- Third-party audits and due diligence templates
- Data Protection Healthchecks/Audits
- Data Breach Response Plans
Why not attend our fantastic CPD accredited course Information Security and Data Breach Management and other CPD accredited data protection courses for cultural heritage organisations.
We are also offering FREE 15-minute clinic sessions on 15th and 16th May at the Museums and Heritage Show:
✅ Data Protection – with Jess Pembroke, Head of Data Protection or Becky Hall, Information Governance Manager or Sofia Carroll, Information Governance Manager
✅ Copyright – with Sean Waterman, Head of IP or Naomi Korn, CEO
✅ Commercial Licensing – with Julie Molloy, Senior Consultant
Book your session here 👉 https://lnkd.in/eW3FTfST