← All writing
// Cybersecurity

Breach in the Archive: The Fall of the British Library

Cameron Carmody Sydney December 2025 4 min read

Fifty hours before ransomware crippled the British Library, their security systems detected an external presence on the network. Lateral movement began within minutes. Automated systems blocked the activity.

By morning, the incident had been escalated. Vulnerability scans found nothing. Logs showed no repeat activity. A password reset was performed and the account was unblocked.

2 days later. 1:30am Saturday 28 October 2023, 440GB of data left the network. Half a million documents. Entire network drives from Finance, People and Technology. Keyword-based grabs for “passport” and “confidential.”

Six hours later, staff are locked out and a major incident declared. The crisis had begun.

Shelves Full of Legacy

The British Library’s technology environment was not dysfunctional. It was recognisable.

A terminal services server put in place quickly in early 2020 to support pandemic remote access. It was protected by firewalls and antivirus, but not MFA. A pragmatic decision made under pressure, not negligence.

A sprawling technology estate built over decades of mergers, statutory obligations and digitisation programs. Modern cloud platforms running beside infrastructure that could not be replaced quickly.

Cyber Essentials Plus certification was achieved in 2019 then lost in 2022 when the standard evolved and the Library’s core systems could not be updated fast enough to comply.

And one telling detail. The Board had already approved cybersecurity uplift funding for 2023 to 2030. Sensible. Long term. Measured.

The attackers did not operate on a seven-year timeline.

When the Stacks Collapsed

The Library was not unprepared. Its digital collections were securely backed up. Cloud systems such as email, payroll and finance kept running.

Everything else was chaos.

Legacy applications could not be restored. Some vendors no longer existed. Others could not operate on modern secure infrastructure. Reading Rooms remained open, but only half of the physical collections were accessible. Digital collections, e-journals and research databases went dark for months.

The most damaging element was not encryption. It was server destruction. The Library knew what data it had but had nowhere to restore it.

This is the hidden cost of legacy systems. You can win the backup battle and still lose the recovery war.

They did not pay the ransom or negotiate with the hackers.

Reconstructing the Catalogue

Respond: five days to stabilise operations.

Adapt: six months of interim workarounds and partial service restoration.

Renew: an eighteen-month program to rebuild infrastructure from the ground up, consolidate legacy platforms and redesign for resilience.

This is not a patch job. It is institutional transformation forced by a single intrusion. While all of this unfolds, staff must still deliver services with manual processes and incomplete systems.

What This Chapter Teaches Us

  1. Risk registers lie by aggregation

The Library’s Board had set a sensible risk appetite. But dozens of accepted low level exceptions, such as systems that could not support MFA or servers that needed extended access, accumulated into systemic exposure that no single line item revealed.

If your risk register does not show how individual exceptions compound, it is giving you false comfort.

  1. Security is not resilience

Backups worked. Infrastructure did not. Recovery time, not the breach itself, became the defining pain.

Attackers increasingly understand this. Destroying recovery paths compounds the pain of stolen data. If your recovery plan only exists on paper, you are betting the organisation on hope.

  1. Legacy debt is recovery debt

Old systems are not just harder to protect. They are nearly impossible to restore. Vendors disappear. Dependencies break. Modern security tools will not run on them.

A modernised estate would have contained the blast radius and shortened recovery from months to weeks. If you cannot justify modernisation for security, justify it for survivability.

Beyond This Chapter

The British Library is not a soft target. It is an example of how complex institutions become vulnerable, not because they ignore cyber risk, but because they balance it against every other operational and financial pressure.

Most public institutions and large enterprises fit this profile.

We say attacks are inevitable. That is true but incomplete. What is inevitable is that complexity accumulates faster than investment. Attackers exploit the gap.

Modern cyber risk management is not about blocking every intrusion. It is about ensuring your organisation survives one.

Source: British Library cyber incident review

Working through something similar?

I help small firms put AI to work on real workflows. If this piece is close to a problem you have, get in touch.

Start a conversation → More writing