Two Libraries, One Day: The British Library & Toronto Ransomware Attacks

Here\'s how two major libraries got compromised in the same attack. October 28, 2023. The British Library in London and Toronto Public Library in Canada both detected Rhysida and Black Basta - two different ransomware gangs - on their networks at the same time. Not a coincidence. A coordinated hit on library infrastructure, and the aftermath tells you exactly why your library\'s network is next on the target list.

I\'ve reviewed both incident reports - British Library published theirs in March 2024, Toronto\'s Information and Privacy Commissioner released theirs months later. What you see when you actually read them, stripped of corporate euphemism, is a chain of specific technical decisions that could have stopped these attacks cold. Instead, those decisions made the breaches inevitable.

Let me walk you through exactly how they got in, what stopped them could have, and which infrastructure choices turned inconvenience into disaster.

British Library: The Attack Timeline

Saturday, October 28, 2023, 11:29 PM GMT: The British Library's security systems detected the first evidence of an external presence on their network. Two minutes later, at 11:32 PM, attackers began moving through the network.

Early hours of Sunday, October 29: A security manager received an alert about suspicious activity. The activity was blocked and escalated for investigation. No further malicious activity was detected, and the compromised account was unblocked after a password reset.

This was a mistake. That "suspicious activity" was the Rhysida ransomware gang performing reconnaissance - mapping the network, identifying valuable targets, and planning their attack.

Sunday, October 29: The British Library disclosed an IT outage.

Tuesday, October 31: The library confirmed the disruption was due to a cyber attack.

November 16: The library confirmed this was a ransomware attack - an attempt at digital extortion.

November 20: Rhysida publicly claimed responsibility and launched a week-long auction for 490,191 stolen files on the dark web. They set the opening bid at 20 bitcoin - approximately £596,000 at the time.

November 27: The British Library refused to pay. In response, Rhysida released approximately 600GB of stolen data publicly on the dark web - 90% of what they'd taken.

The data included:

• Personal information on library users
• Employee records (names, addresses, social insurance numbers dating back to 1998)
• Internal documents and communications
• Sensitive institutional information

How Rhysida Got In: The Terminal Services Disaster

Investigations revealed the attack exploited a Terminal Services server. That's RDP - Remote Desktop Protocol - installed in February 2020 as a COVID emergency measure to let contractors access the network from home.

Here\'s the technical reality: Terminal Services without MFA is basically an open door. Attackers don\'t need to be sophisticated. They just brute-force the credentials. Username. Password. That's it.

That\'s how Rhysida got in. They either compromised a contractor\'s credentials through phishing - sent them a fake email, stole their password - or they just ran a password spray attack. Terminal Services on the public internet. Thousands of guesses per minute until something worked.

Once inside, lateral movement is trivial. They had contractor access. From there, they could enumerate the network, find file servers, identify valuable data. They spent time mapping the network - that's why the first detection on October 28 at 11:29 PM was reconnaissance activity. They were photographing the building before they robbed it.

The British Library reset a password. Moved on. They saw the attack happening and didn't recognize it.

What would have stopped them? One technical choice: Multi-factor authentication on that Terminal Services server. Attacker gets contractor credentials? Still can\'t get in without the second factor. Phone. Hardware token. Authenticator app. Any of it works. That\'s it. That's the entire difference between "attack fails immediately" and "£7 million in recovery costs."

Toronto Public Library: The Same Technical Failures, Different Gang

While Rhysida was inside the British Library, Black Basta - a different organized ransomware group - was hitting Toronto Public Library's network the same day. Same vectors. Same infrastructure failures. Different criminals operating in parallel.

TPL's attack started the same way: unauthorized access, likely through weak or missing MFA on remote access systems. Once inside, Black Basta moved laterally through the network, stole files, then encrypted critical systems.

October 28, 2023: TPL detected suspicious activity. By that point, Black Basta had already stolen personal files and encrypted network shares.

Within 24 hours: TPL isolated the infected systems. They contained it faster than British Library did. But containment doesn't mean recovery.

But the damage was done. The attack:

• Shut down the library's internal network
• Took down the library website
• Disabled all public computers across 100 branches
• Locked out patrons from online accounts
• Froze the ability to check out, return, or renew materials digitally

TPL didn't pay the ransom. Like the British Library, they refused to fund further criminal activity.

The Data Breach Impact

Black Basta stole personal information on current and former Toronto Public Library employees and TPL Foundation staff dating back to 1998, including:

• Names
• Social insurance numbers
• Government identification
• Home addresses

TPL provided credit monitoring services to those affected. Fortunately, cardholder and donor databases were not compromised.

The Recovery: Months of Chaos

Both libraries kept their physical doors open. Both provided limited services. But the digital disruption was catastrophic.

British Library Recovery Timeline:

Late October - December 2023: Systems offline. Staff working on crisis response.

December 2023: British Library launched "Rebuild & Renew," an 18-month recovery program budgeted at £6-7 million (about 40% of their financial reserves).

January 15, 2024: Main catalog returned online in read-only format - 78 days after the attack.

Mid-April 2024: Infrastructure rebuild completed. Full restoration of systems and data began.

March 2025: Some services still not fully restored, 17 months after the attack.

Toronto Public Library Recovery Timeline:

October 28 - December 2023: All 100 branches remained open for in-person services, but with no digital access for patrons.

November-December 2023: Over one million returned items couldn't be processed. TPL stored them in twelve 53-foot tractor trailers.

Early January 2024: Staff began manually processing the backlog - a million books that needed to be checked in and reshelved.

Early February 2024: Computer services started coming back online.

Late February 2024: Staff finally finished putting the million stranded books back on shelves.

Early March 2024 (4+ months post-attack): Nearly all services restored, including online accounts, catalog searches, holds, and renewals.

The Financial Toll

British Library:

• £6-7 million in recovery costs
• 40% of financial reserves depleted
• Ongoing costs for system modernization
• Delays in Public Lending Right payments to authors
• Suspension of fellowship programs
• Lost research productivity (incalculable)

Toronto Public Library:

• Exact costs not publicly disclosed
• Credit monitoring for affected employees
• Manual labor costs (staff manually processing millions of transactions)
• System rebuild and security upgrades
• Lost productivity and service interruptions

Neither library paid the ransom. Both paid far more in recovery costs.

The Technical Lessons: Where They Could Have Stopped This

I\'ve reviewed both incident reports in detail. Here\'s what jumps out when you read past the apologetics: each attack had multiple hard stop points. Different decisions at any of those points and this article wouldn't exist.

1. Multi-Factor Authentication Stops 99% of This Attack

This deserves its own section because it\'s the entire story. The British Library\'s Terminal Services server didn't have MFA. Black Basta exploited the same gap at Toronto. Both attacks started with compromised credentials - either through phishing or brute force. Without MFA, those credentials were an all-access pass.

The Library of Congress was targeted by the same Rhysida group on the same day. Rhysida tried the exact same attack. LOC has MFA enabled. The attack failed. Zero damage. The attacker couldn't get in.

That's the difference between a £7 million disaster and a blocked attack. MFA is often free with existing systems like Microsoft 365 or Google Workspace.

2. Emergency Systems That Never Got Reviewed

The British Library stood up that Terminal Services server in February 2020. Emergency measure. Contractors need to work from home. Get them access fast, we'll secure it later.

They never secured it later. They had nearly four years to add MFA. They didn't.

This is infrastructure archaeology: when you have systems installed as emergency measures, they live in a weird half-secured state. They\'re in production. They\'re critical. But they weren't built with security requirements because they were supposed to be temporary.

If your library stood up remote access, VPNs, or cloud systems in 2020 as emergency measures and hasn\'t done a systematic security review since - added MFA, hardened permissions, implemented logging - you're literally running on the same infrastructure that failed at British Library. Different attacker, same result.

3. Third-Party Access = Your Network is Their Network

Rhysida started with compromised contractor credentials. They either phished someone or brute-forced credentials on the publicly exposed Terminal Services server. Either way, they got in using a contractor account.

Here\'s what that means: your library\'s network security is only as strong as your worst contractor's password security.

Look at your vendor list:

• ILS provider (your integrated library system - they need production network access)
• Database vendors (they patch your systems remotely)
• IT support contractors (they need administrative access to manage servers)
• Cataloging services (they connect to your systems)
• Maintenance companies using IoT devices (printers, badge readers, security systems)

Each of these is a third-party account with access to your network. Most library contracts don\'t specify security requirements for those vendors. You don\'t know if they use MFA. You don\'t know if they properly secure their credentials. You don\'t know if they're even monitoring for compromises.

If they had just required MFA for every third-party account - put it in the contract, make it non-negotiable - this attack stops completely. Contractor compromised? Doesn\'t matter. They still can\'t log in without the second factor.

4. Detection Without Interpretation Is Theater

The British Library's security systems did exactly what they were supposed to do. They detected suspicious activity on the Terminal Services server at 11:29 PM on October 28. Unauthorized login. A security manager got the alert and investigated.

What they saw was reconnaissance. Attackers probing the network, mapping systems, testing what they could access. Standard pre-attack reconnaissance.

But the investigation process didn\'t include someone who understood ransomware attacks. Someone who would say: "This isn\'t a mistyped password. This is an attacker mapping our network. Lock everything down. Now."

Instead: Password reset. Move on. The attacker stayed on the network, continued mapping, and seven days later came back to encrypt everything.

If they had just escalated that alert to someone with the technical knowledge and authority to say "shut it down immediately" - if they had treated reconnaissance as an active attack - the whole thing stops on October 28 at 11:35 PM.

5. These Are Professional Operations Running a Business

Let me be direct: Rhysida and Black Basta don't hack libraries because they got bored. They do it because libraries are profitable targets and their business model depends on volume.

Both groups followed the same playbook:

• Find entry point (compromised credentials on publicly exposed remote access)
• Map the network and find valuable data
• Steal everything (exfiltrate the data)
• Encrypt critical systems
• Destroy recovery options (delete backups, wipe shadow copies)
• Demand ransom with threat of data release
• Release data publicly when ransom isn't paid

This wasn't simultaneous by accident. These groups either share intelligence or - more likely - they both put libraries on their target list because libraries are soft targets with value. Patron data. Employee records. Institutional systems that generate pressure to pay.

If they had just made the basic infrastructure choices - MFA, network segmentation, immutable backups - both attacks would have failed at step one. But the same failures exist at thousands of other libraries.

6. Recovery Isn\'t Restoration - It\'s Forensic Surgery

Here\'s what most people miss: recovery doesn\'t mean "turn systems back on." Recovery means "figure out what they did, make sure they're gone, rebuild everything from scratch, then turn systems on."

British Library had incident response plans. Had backups. Had professional IT teams. It took 78 days just to get the main catalog back in read-only mode. They didn't finish recovery for 17+ months.

Toronto had the same infrastructure. It took them 4+ months to restore services.

Why so long? Because attackers don't just encrypt files. They:

• Exfiltrated 600GB of data from British Library (took weeks to identify what was stolen)
• Destroyed backup infrastructure (overwriting or deleting backups so recovery is impossible)
• Wiped security logs (so you have no record of what they did, how deep they went, what they touched)
• Installed persistence mechanisms (backdoors to get back in later)

Recovery then means: forensic investigation to understand the scope, malware removal to ensure they\'re actually gone, complete infrastructure rebuild assuming everything is contaminated, and careful restoration from backups (if they\'re intact - many aren't).

If they had just implemented air-gapped backups - backups stored offline, unreachable from the network - the recovery timeline drops dramatically. Toronto could have been back in weeks instead of months. British Library similarly.

7. The Financial Impact Goes Beyond Tech Costs

The British Library:

• Lost research productivity (scholars couldn't access materials)
• Delayed author payments (Public Lending Right system was down)
• Canceled fellowship programs
• Suffered reputational damage

Toronto Public Library:

• Hundreds of staff hours spent manually checking in a million books
• Lost patron trust (personal data stolen)
• Community impact (digital divide widened when public computers went offline)

The spreadsheet costs are bad enough. The intangible costs are worse.

The Questions Your Library Needs to Answer Right Now

If the British Library and Toronto Public Library - two well-funded, professionally staffed institutions - can be offline for months, what chance does your library have?

Ask yourself:

1. Do all your systems require multi-factor authentication?
Not just for staff. For contractors. For vendors. For remote access. For everything .

2. Have you reviewed security on systems set up during COVID?
If you stood up remote access, VPNs, or cloud systems in 2020-2021 as emergency measures, have they been properly secured since?

3. What third-party access do you have to your network?
Make a list. Every vendor. Every contractor. Every system integration. Then ask: Do we trust their security?

4. Can you detect AND interpret suspicious activity?
Do you have security monitoring? Do you have someone who can recognize reconnaissance activity? Do they have authority to lock things down immediately?

5. Are your backups actually restorable?
When's the last time you tested a full system restore from backup? Not just "Do the backups exist?" but "Can we actually restore from them?"

6. What's your incident response plan?
Who makes decisions during a breach? How do you communicate with patrons? Staff? The public? Law enforcement? Do you have contracts with forensic investigators ready to go?

7. How long can you operate with systems down?
Toronto kept 100 branches open without digital systems for 4 months. Could you do that? Do you have manual processes documented and ready?

What You Should Do This Month

Don't wait for a wake-up call like the one British Library and Toronto Public Library got.

If You Have Zero Budget (Free/Low-Cost Actions):

Week 1:

• Enable MFA on ALL systems (free with most email/cloud services like Microsoft 365, Google Workspace)
• Inventory all third-party access to your network (spreadsheet exercise, no cost)
• Test your backups (time investment only - critical to confirm they actually work)

Week 2:

• Audit COVID-era systems for security gaps (if you set up remote access in 2020, review it now)
• Document manual processes for operating without digital systems (write down how to check out books manually, run programs offline)
• Join MS-ISAC (Multi-State Information Sharing and Analysis Center - FREE security services for state/local governments including libraries)

Week 3:

• Create a one-page incident response plan (who calls who, who talks to press, who contacts law enforcement)
• Identify free/low-cost partners: Community college IT programs, state library IT support, regional consortia
• Run a 90-minute tabletop exercise with staff: "What if our systems went down tomorrow?"

Week 4:

• Use free phishing training from CISA, KnowBe4 (free tier), or state library associations
• Review your insurance (do you have cyber coverage? What's covered?)
• Brief leadership using the British Library/Toronto/Seattle examples ($7M, $1M costs)

If You Have $10K-50K Budget:

Add these to the above:

• Cyber insurance ($15K-25K annual premium for mid-sized library)
• One-time security audit ($10K-20K from regional IT firm or state consortium)
• Backup system upgrade (air-gapped or immutable backups)
• Retainer agreement with incident response firm (pay for hours as needed)

If You Have $50K+ Budget:

Add these:

• Managed security services (outsourced security monitoring)
• Comprehensive pen testing (identifies vulnerabilities)
• Staff cyber security training program (ongoing, not one-time)

The Part Nobody Wants to Say Out Loud

The British Library and Toronto Public Library weren't anomalies. They were the warm-up acts.

Ransomware groups put libraries on their target list because the math is simple:

• Libraries have valuable data (patron information, employee records, decades of institutional knowledge)
• Libraries provide critical public services (trustees and directors will authorize budgets to restore them)
• Libraries are chronically underfunded for cyber security (the infrastructure is 10+ years old, the IT staff is two people)
• Libraries have dozens of vendor integrations (each one a potential entry point)
• Libraries don\'t have security monitoring (nobody\'s watching the network 24/7)

From a criminal perspective? Libraries are a target-rich environment.

And here\'s the pattern that should terrify you: It\'s accelerating. Baker & Taylor compromise in August 2022. British Library and Toronto hit in October 2023. Seattle Public Library in May 2024. Library of Congress targeted (and defended) October 2023.

The attacks aren\'t slowing down. The groups aren\'t moving on to softer targets. They're learning what works and scaling it.

Your library is on that list. If it isn\'t right now, it will be in the next 12 months. The question isn\'t whether you\'ll be targeted. The question is whether you\'ll be defended.

Further Reading

• British Library Cyber Incident Review (March 2024)
• Toronto Public Library cyber security Report
• Library cyber security Resources - ALA
• Rhysida Ransomware Gang Profile - CISA

Need help assessing your library's ransomware readiness? Let's talk .

Where This Comes From

I spent weeks reading the official British Library cyber incident review and Toronto Public Library\'s cyber security report. These aren\'t glossed-over summaries - they're detailed technical breakdowns of how the attacks actually worked, what failed, what worked, the decisions people made in real time.

I also cross-referenced CISA threat assessments and Rhysida/Black Basta threat intelligence to understand the attacker side.

When you read incident reports like this - not the press releases, not the sanitized board summaries, the actual technical review - patterns jump out. The same vulnerabilities appear over and over. The same decisions that could have stopped attacks don't get made. The same infrastructure failures that cost millions get called "unforeseen" when they were completely foreseeable.