British Library begins contacting customers as Rhysida leaks data dump

The Rhysida ransomware group has published most of the data it claimed to have stolen from the British Library a month after the attack was disclosed.

Infosec experts originally speculated that the group may not have stolen much in the way of data, but the creator of Have I Been Pwned?, Tory Hunt, said the dump "looks rather substantial."

The Register has not examined any of the data posted online, but a cursory perusal of the file trees leaked to Rhysida's website appears to show data related to various British Library departments, functions, and stakeholders. 

Rhysida's website indicates that 490,191 files are included in the leak, totaling 573 GB. When the criminals first announced the leak, it put the data up for auction with a starting bid of 20 Bitcoin (roughly $760,000 at today's exchange rate).

The site also appears to show that 90 percent of the data had been uploaded, alongside a small message suggesting at least some of the data was sold. "Not-sold data was uploaded, data hunters, enjoy."

Richard Cassidy, Field CISO EMEA at Rubrik, told us: "With cyberattacks such as the recent British Library attack, where data has allegedly been stolen, it is crucial to understand that ransomware groups like Rhysida are no longer just hackers, but are savvy business operators."

"Unfortunately, extortion, including the increasingly common practice of double extortion, offers high returns on a hacker's investment."

In an update posted to its still-floored website on Monday evening, the British Library confirmed Rhysida's earlier claims that data had been stolen and advised customers to change passwords if they had reused them elsewhere.

The institution also said the disruption to its operations, which has been widespread, may persist for several months further.

"We're experiencing a major technology outage as a result of a cyberattack," its website read. "The outage is affecting our website, online systems, and services, as well as some onsite services, however, our buildings are still open as usual. We anticipate restoring more services in the next few weeks, but disruption to certain services is now expected to persist for several months.

"Having confirmed that this was a ransomware attack, we now have evidence that indicates the attackers might have copied some user data, and additional data appears to have been published on the dark web.

"We will continue to work with cybersecurity specialists to examine what this material is and we will be contacting our users to advise them of the practical steps they may need to take."

According to disclosure notices sent to customers, seen by The Register, Rhysida accessed the library's CRM databases, and "at a minimum" these contain the names and email addresses of most of its customers.

Postal addresses or telephone numbers may also be included if a customer used certain library services, which weren't specified.

No financial details are thought to be at risk since the library outsources the management of this to "secure third-party payment providers."

After re-iterating its ongoing work with cybersecurity experts to investigate and remediate the incident, the library issued an apology to its customers, adding that it hopes the additional information about the risk to data would offer customers "a clearer picture of the situation as it stands."

The British Library has a full breakdown of what services are and aren't available on its blog, separate from the downed website, but this remains largely unchanged from previous status updates. However, its Wi-Fi network appears to be back up, as are its card payment terminals.

• Ransomware-hit British Library: Too open for business, or not open enough?
• Cybersecurity snafu sends British Library back to the Dark Ages
• Textbook publishers sue shadow library LibGen for copyright infringement
• Internet Archive opens National Emergency Library with unlimited lending of 1.4m books for stuck-at-home netizens amid virus pandemic

"The scale of the attack on the British Library highlights the importance of continuous improvement in cybersecurity practices to effectively combat such sophisticated attacks," said Jake Moore, global cybersecurity advisor at ESET. "The length of time this has been affecting the organization and its users also underlines how companies struggle in the aftermath of an attack. 

"The use of unique passwords is also impacted and noticeable when the British Library is left reminding people to change their passwords for other sites which could also be affected.

"Now the stolen data is on the dark web it will be impossible to remove it, so the clean-up process involves working with the authorities as well as informing those affected of the best practices going forward. The small positive that can come from this attack is that there is now the hope that other organizations will fear this could just as easily happen to them and will therefore improve their protection where possible." ®