British Library ransom attack claimed, data leak confirmed


The British Library confirms data has been leaked as it struggles to recover from an October 28th ransomware attack claimed by the Rhysida ransom gang.

The United Kingdom’s national library first posted about the breach on its web blog exactly two weeks ago November 6th, providing its latest ‘cyber incident’ update Monday.

“We’re continuing to experience a major technology outage as a result of a cyber-attack,” the library said in a statement also posted on X.

“The outage is still affecting our website, online systems and services, as well as some onsite services including Wi-Fi,” it said.

Last week, the library confirmed the system disruptions were due to a ransomware attack, since claimed by the Rhysida cyber gang.

Now, on November 20th, library officials have confirmed that some employee data appears to have been exposed online.

“We’re aware that some data has been leaked. This appears to be from our internal HR files,” the library stated.

Meanwhile, the Rhysida ransom gang posted an alleged sample of the data on its dark leak site November 19th, along with a now six-day countdown until publish.

The sample batch appears to include drivers licenses, passports, and other sensitive documents.

“With just seven days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data,” Rhysida posted, without indicating the amount of data it may be holding.

The group is offering up the data for 20 Bitcoin (BTC), which are currently worth roughly $38,000 each.

British Library Rhysida data sample
Rhysida leak site

The library has stated there was no evidence that user data has been compromised, but out of caution, the book repository is urging those with British Library logins to change their passwords.

The British Library, considered the world’s largest repository of historical knowledge, is estimated to contain between 170 and 200 million items from nations around the world.

Its collection is said to span across 390 miles (625 km) of shelving.

The library recently replaced 16 legacy systems and upgraded to an integrated digital system which took a year and a half to complete.

The library said it is working to restore all services in the upcoming weeks, but said disruptions may persist as the investigations continue.

British Library ransom attack Rhysida

The UK’s National Cyber Security Centre (NCSC), the Metropolitan Police, and outside cybersecurity specialists have been brought in to to facilitate.

The library also reiterated that it is open to the public, although some onsite digital services are still unavailable.

Free and ticketed events are happening, shops and eateries inside the library are also open, and credit cards are being accepted, it posted.

Over 16,000 people use the British Library collections each day, according to its website.

Rhysida ransom group

A newcomer to the ransomware scene – Rhysida has only been around emerged since May 2023.

Rhysida, like many other active ransomware gangs, operate as a a ransomware-as-a-service (RaaS) group, selling its Rhysida-0.1. variant to other criminals for a cut of the profits.

According to a November advisory by the US Cybersecurity Infrastructure and Security Agency (CISA), the gang is known for targeting the healthcare industry, although it has hit the education, government, manufacturing, and technology sectors as well.

Rhysida is also thought to have ties to Vice Society, another notorious threat group known for its attacks on the education sector, primarily in the US, Canada, and the UK.

Rhysida made waves after a successful attack on the Chilean government, which included leaking stolen data online in June, and the Prospect Medical Group in August.

Rhysida PDF ransom note-partial

By September, there were 40 victims listed on Rhysida's dark leak site, with many of victims' data published by the group. That count is now up to 60.

The gang typically launches its unsophisticated namesake ransomware via phishing attacks and Cobalt Strike to breach a victim’s network and deploy their payloads, according to an August bulletin by the US Department of Health.

It is also thought Rhysida only target systems that are compatible with handling PDF documents, not command line systems.

This is because the group has only been documented sending its ransom notes, titled "CriticalBreachDetected,” as to victims in PDF format, CISA advisory stated.

Rhysida is said to primarily focus on targets in Western Europe, North and South America, and Australia.

The group describes itself as a “cybersecurity team” that aims to help victims highlight potential security issues and secure their networks.