US Library Ransomware Attacks: Timeline and Pattern Analysis

While the world was paying attention to the British Library and Toronto Public Library ransomware attacks in late 2023, American libraries were getting hit too.

You probably didn't hear about most of them. Some made local news. A few got brief mentions in library trade publications. But most flew under the radar.

That\'s a problem. Because what\'s happening to U.S. libraries right now is a systematic, accelerating pattern of attacks. And most libraries still think "it won't happen to us."

Let me show you what's actually happening.

Baker & Taylor: When Your Vendor Gets Hit, You Get Hit

August 20-21, 2022: Baker & Taylor, at the time one of the largest book distributors serving over 5,000 public and academic libraries across North America (the company has since ceased operations), was hit with a ransomware attack over the weekend.

The attack took down:

• Title Source 360 (the ecommerce system libraries use to order materials)
• EDI services (automated transactions with library systems)
• Phone systems
• Offices and service centers

For 17 days, thousands of libraries couldn't order books.

Think about that. Not a direct attack on libraries. An attack on their critical vendor. But the impact? Thousands of libraries disrupted simultaneously.

Baker & Taylor took systems offline proactively to contain the attack. Their IT team and outside consultants worked around the clock. By August 30, they'd finished remediating and sanitizing systems. By September 7, Title Source 360 was back online.

Total outage: 17 days.

Ransomware group: Never publicly identified.

Ransom payment: Baker & Taylor never disclosed whether they paid.

Board asking about security funding?

You might think: "We don\'t control our vendor\'s security. What can we do?"

Here's what you can do:

1. Ask vendors about their cyber security practices before signing contracts
2. Require vendors to notify you within 24 hours of a breach
3. Have backup vendors identified for critical services
4. Include cyber incident response clauses in contracts

Because when your vendor goes down, your library goes down. And you don't get to choose the timing.

Seattle Public Library: $1 Million to Recover

May 2024: Seattle Public Library's systems were hit with ransomware. All 27 locations were affected.

What went offline:

• Library catalog
• Public computers
• Internet access
• Internal systems
• Website

Unlike some libraries that tried to downplay the impact, Seattle was transparent about the costs:

Consultant fees: ~$800,000

• $400,000 for forensic investigation and ransom negotiation
• $262,000 to restore the network and computer terminals
• Additional consulting costs

Extra IT costs: ~$200,000

Total projected cost by year-end: $1 million

And that\'s just the direct response costs. It doesn\'t include:

• Lost productivity
• Staff overtime
• Patron impact (no computer access in a city with significant digital divide issues)
• Long-term security upgrades

What Seattle Did Right

Seattle hired forensic investigators immediately. They brought in ransom negotiators (even though they ultimately didn't pay). They restored systems methodically instead of rushing.

But here's the thing: They had to spend $1 million to do it right.

Most libraries don't have a million-dollar incident response budget sitting around. Seattle is a major urban system with resources. What happens when a small rural library system gets hit?

Library of Congress: The Attack That Didn't Succeed

October 28, 2023 (the same day as British Library and Toronto): The Library of Congress was targeted by a cyberattack, likely by the same Rhysida group that hit the British Library.

The attack failed.

Why? Multi-factor authentication.

The hackers tried to get in through the same type of entry point that worked at the British Library: remote access credentials. But LOC had MFA enabled on that system.

The hackers couldn't get past the second authentication factor. Attack blocked.

The $0 Incident

Library of Congress's costs:

• Investigation time: A few staff hours
• Remediation: Password resets, security review
• Recovery: $0 (because nothing was compromised)
• Downtime: 0 hours

This is the story every library should be telling. MFA works. It's not perfect, but it stops the vast majority of credential-based attacks.

And credential compromise is how most ransomware attacks start.

Pierce County Library System: Now We Know

Timeframe: April 15–21, 2025

Pierce County Library System in Washington State was breached by the INC Ransom gang, who claimed the attack on May 22, 2025. The group said they exfiltrated 1.94 TB of data.

What we now know (per SecurityWeek and Comparitech):

• Over 340,000 people were affected
• Patron data included names and dates of birth
• Employee data included Social Security numbers, driver's licenses, passports, and financial information
• Services disrupted: catalog, self-checkout, library cards, printing, public computers
• PCLS began notifying affected individuals in December 2025 and is offering 12 months of credit monitoring

The Problem with Silence

I understand why libraries don't want to talk about breaches. Negative publicity. Patron concern. Legal liability.

But the silence is making things worse.

When libraries don\'t share information about attacks, other libraries don\'t learn. They don\'t know what to look for. They don\'t know what works and what doesn\'t. They don\'t know how bad it can get.

The British Library published a detailed incident review. Toronto released cyber security reports. Seattle was transparent about costs.

That transparency helps other libraries prepare. Silence just leaves everyone vulnerable.

The Broader Pattern: Why Libraries Are Targets

Let's zoom out. Why are ransomware groups targeting libraries?

1. Libraries Are Soft Targets

Most libraries:

• Run on tight budgets (limited cyber security investment)
• Rely on small IT teams (or shared regional IT)
• Use legacy systems (harder to patch and secure)
• Have limited cyber security expertise
• Lack dedicated security staff

Ransomware groups know this. They're not going after hardened targets when there are thousands of under-defended libraries.

2. Libraries Provide Critical Public Services

Ransomware works because victims need their systems back now. Hospitals can\'t operate without patient records. Schools can\'t function without student data. Governments can't deliver services without their databases.

Libraries provide internet access for job seekers. Computer access for students. Research resources for the community. Book checkout for families.

When those services go offline, there's public pressure to restore them quickly. And that pressure creates willingness to pay ransoms.

3. Libraries Have Valuable Data

Patron records. Employee information. Financial data. Donor records. Vendor contracts. Research materials. Historical archives.

All of it has value, either for direct exploitation (identity theft) or as leverage for ransoms.

4. Libraries Are Connected to Bigger Networks

Public libraries are often connected to municipal networks. Academic libraries connect to university systems. Regional library consortia share infrastructure.

Compromise one library, and you might get access to city government systems, university research data, or dozens of other libraries.

Libraries aren\'t islands. They\'re entry points.

5. Ransomware Is Now Ransomware-as-a-Service

This isn't lone hackers anymore. Ransomware is a business model.

Groups like Rhysida, Black Basta, LockBit, and dozens of others operate like software companies:

• They develop ransomware tools
• They sell or license those tools to "affiliates"
• Affiliates carry out attacks
• They split the ransom payments

This industrialization means:

• More attacks (easier to execute)
• More sophisticated attacks (better tools)
• More targets (affiliates need volume)

And libraries fit the target profile perfectly.

What We're Not Tracking (But Should Be)

Here\'s what bothers me: We don\'t have comprehensive data on library cyberattacks in the U.S.

We know about:

• Baker & Taylor (August 2022)
• Library of Congress attempted attack (October 2023)
• Seattle Public Library (May 2024)
• Pierce County Library System (April 2025, 340K+ affected)

But how many more happened that didn't make the news? How many small library systems got hit and quietly paid ransoms or recovered without public disclosure?

We don\'t know. And that\'s a problem.

The American Library Association doesn\'t maintain a public database of library cyber incidents. State library agencies don\'t track it comprehensively. There's no central reporting mechanism.

Which means libraries are fighting this threat blind, without good data on:

• Attack frequency
• Attack methods
• Success rates
• Recovery costs
• What works for defense

We need better information sharing. Yesterday.

What Your Library Should Do This Week

I'm not going to sugarcoat this: Most U.S. libraries are not prepared for a ransomware attack.

But you can start getting prepared today.

Immediate Actions (Do These This Week):

1. Enable MFA on everything
Every system. Every user. Every vendor connection. No exceptions.

2. Test your backups
Not "Do we have backups?" but "Can we actually restore from them?" Test a full restore.

3. Inventory third-party access
List every vendor, contractor, or service that has network access. Then audit their security.

4. Review your cyber insurance
Do you have it? Does it cover ransomware? What are the limits? What's excluded?

5. Create a communication plan
If your systems go down tomorrow, who communicates with patrons? Staff? The board? The press? Law enforcement?

Write it down. Now. Before you need it.

Short-Term Actions (Next 30 Days):

6. Run a tabletop exercise
Gather key staff and walk through a ransomware scenario. "It's Monday morning. Our systems are encrypted. What do we do?" Identify gaps.

7. Harden COVID-era systems
Any remote access, VPN, or cloud system set up during 2020-2021 needs a security review. Assume they're vulnerable until proven otherwise.

8. Identify incident response partners
Research and vet forensic investigation firms, cyber insurance claims specialists, and legal counsel before you need them. In a crisis, you don't have time to comparison shop.

9. Train staff on phishing
Run simulated phishing exercises. Most ransomware starts with a phishing email. Train staff to recognize and report suspicious messages.

10. Review vendor contracts
Add cyber security requirements to all vendor contracts:

• Notification within 24 hours of a breach
• MFA required for all access
• Regular security audits
• Indemnification for vendor-caused breaches

Long-Term Actions (Next 6-12 Months):

11. Budget for cyber security
Stop treating security as an afterthought. Library boards and funders need to understand: cyber security is not optional. It's infrastructure.

12. Join information-sharing networks
Connect with library cyber security groups. LITA\'s old Security Interest Group was merged into ALA Core in 2020, but resources like MS-ISAC (free for government entities including libraries) and ALA\'s cyber security toolkit are solid starting points. Share information. Learn from others' incidents.

13. Develop manual fallback procedures
Toronto kept 100 branches open without digital systems for 4 months. Can you do that? Document manual processes for circulation, reference, programming, and operations.

The Question Nobody Wants to Ask

Here it is: Should libraries pay ransoms?

The official answer, from the FBI, from cyber security experts, from law enforcement, is no. Paying ransoms:

• Funds criminal enterprises
• Doesn\'t guarantee you\'ll get your data back
• Marks you as a willing payer (making you a future target)
• May be illegal (if the ransomware group is on sanctions lists)

The British Library didn\'t pay. Toronto Public Library didn\'t pay. Seattle Public Library didn't pay.

But some libraries have paid. We know this because ransomware groups publish statistics (they're businesses, remember). And they count libraries among their paying customers.

So what should you do if you get hit?

My answer: Make that decision now, before an attack, with clear criteria.

Decide:

• Under what circumstances would we consider paying? (e.g., if backups are destroyed, if patient/patron safety is at risk)
• Who has authority to make that call? (board? director? city government?)
• What legal and ethical review process will we follow?

Document it. Get board approval. Make it policy.

Because if you wait until you're staring at encrypted systems and a ransom demand on your screen, you won\'t make a good decision. You'll make a panicked one.

This Isn't Going Away

Here\'s what we know about the trend: Ransomware attacks on the education sector (which includes libraries) have surged dramatically. While comprehensive library-specific statistics aren\'t available due to lack of central reporting, cyber security firms like Emsisoft and Recorded Future document significant increases:

• Education sector ransomware attacks increased 84% between the first and second halves of the June 2022-May 2023 period (Malwarebytes/ThreatDown)
• Libraries represented a growing target within that sector, with major incidents at British Library, Toronto, Seattle, and Baker & Taylor
• Government-related entities (including public libraries) are increasingly targeted because they provide critical services and often lack well-funded cyber security teams

We don\'t have precise library-specific statistics because there\'s no mandatory reporting mechanism. Many smaller library breaches never make the news. But the documented cases (Baker & Taylor, British Library, Toronto, Seattle, Pierce County) represent just the tip of the iceberg.

And 2025 showed no signs of slowing down. If anything, attacks are accelerating.

The British Library and Toronto attacks were wake-up calls. But most libraries hit the snooze button.

Don't be one of them.

Further Reading:

• Ransomware on the Rise: Protecting Library Systems - Public Libraries Online (2024)
• Library cyber security Toolkit - ALA
• CISA Ransomware Guide for Organizations
• Seattle Public Library Ransomware Response Analysis - StateScoop

Need help building a ransomware response plan for your library? Contact me.