How the British Library cyberattack disrupted research

Academics who rely on the British Library’s unmatched collection are still feeling the impact of a devastating cyberattack a year ago. Jack Grove hears from those affected and considers how another catastrophic breach might be averted

November 21, 2024
Montage of the British Library with fingerprints to illustrate ‘We are vulnerable when we go digital’
Source: Getty Images montage

The thousands of scholars who were used to trawling the British Library’s digitised archives from their desks and summoning obscure journal papers in a few seconds had their research thrown into turmoil when Russian hackers breached the library’s cyberdefences last October.  

At a stroke, the 170 million items in the library’s collections were put beyond reach, and despite immense efforts to restore access, many materials remain inaccessible.

“Nearly everything I need is in the British Library, so I’ve spent the majority of my time this summer emailing other libraries asking if they have various items,” explains Liz Tregenza, lecturer in cultural and historical studies at the London School of Fashion, part of the University of the Arts London, whose research into 20th-century British clothing relies heavily on locating magazine and trade press articles. “Sometimes I’ve found myself wondering if I should go and stay in Edinburgh for a few days just because their libraries have the resources that I need,” she reflects on how once-streamlined research efforts became tortuous.

Academics have been stymied not just by the loss of digital resources, but also by the impossibility of accessing print materials after the hack crashed search and retrieval functions, explains Tregenza. “The library has historic newspapers that no one else subscribed to. But although they hold them in store, I haven’t been able to get anything from before 1977,” she says. “Some have been sitting on a shelf in low-oxygen storage up in Boston Spa [the library’s Yorkshire outpost] – you actually need a robot to retrieve them.”

ADVERTISEMENT

One scholar puts things more bluntly: “The reading rooms at the British Library used to be buzzing with academics; now they’re dead. Most people decided it’s not worth going.”

While many library services have been recently restored – an interim remote ordering service for the reading rooms came online in late September, alleviating the two-hour waits following pen-on-paper requests that had become the norm – some feel that the anniversary of the attack should prompt a reckoning about how it happened and whether the British Library and other academic libraries are fully across the immense challenge of digitisation.

ADVERTISEMENT

Some go further, wondering if libraries should reconsider the steady march away from physical print materials towards electronic-only resources. “It shows how vulnerable we are when we go digital,” says Nicholas Till, professor of opera and music theatre at the University of Sussex, who says he gave up visiting the library because of the delays in ordering books.

“Yes, libraries can burn down. But the virtual wipeout of access to the nation’s largest repository of knowledge for more than a year shows how easily it could be obliterated forever if everything were to be digitised,” he says.

Previously, it might have been easy to dismiss such statements as nostalgia for a less hectic analogue age of academia, but the sheer disruption caused by the attack might change the debate, says Till, who is surprised at “how little reporting there’s been of what was an attack on a major national resource”.

“A huge amount of research will have been impacted by the outage – this on top of the Covid closures,” he says. For Till, the library is just a 10-minute cycle ride from his home. Others, however, are not so fortunate. “Imagine the situation of a colleague who has to travel up to London from Brighton or Exeter to use the library, and then loses a further chunk of research time ordering and waiting for books to be delivered.”

A montage of the Magna Carta with a shadowed hand pointing, set against a backdrop of stars
Source: 
Getty images montage

Given that most academics will have only a limited window – usually during the summer – to undertake research, the British Library’s problems cannot be dismissed as merely an inconvenience, says Tregenza, who points out that publications play a crucial role in academic hiring and promotions decisions. Sympathising with other authors who have been affected, she says, “I’m just glad I didn’t have to meet a book publishing deadline. Everything has been so time-consuming.”

Particularly exasperating for her has been the loss of the Electronic Theses Online System (EThOS), which contains more than 600,000 PhD dissertations and is housed at the British Library. “At my stage of my career, I’m trying to recruit PhD students, but that’s difficult when you don’t know what’s already been written about,” she explains.

For PhD students cut off from research resources while their funding runs down, the situation has been especially dire, says Richard Ovenden, librarian at the University of Oxford’s Bodleian Library. “People have been stopping me in the street saying their graduate students are at their wits’ end – they’ve sent them to an archive and the materials just aren’t available,” explains Ovenden. “It’s not just doctoral students and thesis deadlines hit by this. People have book deals to honour, final exams approaching, or have paid significant tuition fees and need to get their work done,” he continues.

To this end, Oxford has spent £200,000 acquiring additional materials in the past year to help those students and staff left high and dry by the British Library outage, says Ovenden. “That might mean buying an entire e-book package to give access to 10,000 books that the academic community needs,” he says, adding: “It’s not enough to say these materials will come back eventually – we need to provide the data that people need now, even if it means diverting significant resources.”

ADVERTISEMENT

For Ovenden, the cyberattack and subsequent disruption highlight the need to invest substantial sums in the digital infrastructure on which UK libraries, academia and, more broadly, public services increasingly rely. “The nation should be funding this properly – it should be an urgent priority,” he says.

“We’ve taken for granted how easy it is to call up resources from any corner of the world, but this requires digital infrastructure with defence systems that are up to date, which means investment,” he continues. “I don’t think we realise how vulnerable we are to these sorts of attacks – not just the BL, but the NHS, schools, universities – until things like this happen.”

That view is echoed by Caroline Ball, academic librarian (business, law and social sciences) at the University of Derby. “The reality is the British Library is woefully underfunded, both in real terms and in comparison to other national libraries,” says Ball, noting that its government funding has not kept pace with inflation over the past 15 years despite having risen from £109.5 million in 2009-10 to £127.8 million in 2023-24. “It has effectively seen a 25 per cent cut,” she notes. “Compare that to the 2025 [US] Library of Congress budget request of $898 million [£689 million], which specifically makes reference to the need to invest in its IT infrastructure – no doubt learning from the unfortunate example of the British Library.”

Closer to home, the latest budget of Paris’ Bibliothèque Nationale de France – which charges €55 (£45) for a year-long pass, or €24 for a five-day pass – was €254 million (£211 million), she adds.

ADVERTISEMENT

In January, the British Library announced that it was freeing up 40 per cent of its financial reserves, roughly £7 million, to rebuild its IT systems, issuing a £400,000 tender in August for security contractors to help with this task. Without additional funding, this outlay is likely to hit other elements of the library’s budget, such as staff, acquisitions and outreach, says Ball.

Moreover, the complete rebuild of IT services, and the return of digital resources, must be only the first step to ensuring that the library is secure from another catastrophic hack, Ball adds. “The attack demonstrates how vulnerable digital services are without robust cybersecurity procedures, and these require investment, not just in financing them but also having staff to maintain and upgrade them. Both require money.”

The good news is that the library’s digital resources are still intact, as are its physical materials, she says. “However, the means to securely find and access them have been so badly damaged that they require rebuilding from the ground up. People think digital is more permanent. But in many ways it’s so much more transient than physical artefacts without an ongoing commitment to maintaining access.”

Exactly who is best equipped to handle this task is another question. For some, the breach highlights how it is nearly impossible for public institutions with limited budgets to create impregnable technologies – including open-access repositories – when a multibillion-pound international cybercrime industry is intent on infiltrating their systems. “We are now understood among cybercriminals to be very soft targets with a lot of profitable information basically just lying around,” wrote Fiona Greig, director of knowledge and digital services at the University of Winchester, in January about why academic libraries have become such juicy targets.

Would it be better to outsource infrastructure to commercial partners – even so-called big tech companies – with more resources and expertise to ensure cybersecurity? Not everyone is convinced, with some sceptics noting that a British Library report into the hack published in March points out that the “increasing use of third-party providers within our network…and the increasing complexity of managing their access was flagged as a risk” before the attack. Having university staff who understand the systems they operate and their potential frailties would be preferable to leaving this work to overseas contractors, who will also take a substantial financial cut for their work, some maintain.

Building a robust new system with firewalls and back-ups must be the priority, most agree, but what if another hack – and a more destructive one – did occur? A more radical – and, in some eyes, effective – fail-safe for safeguarding knowledge would see institutions’ resources backed up in multiple places – perhaps along the lines of the Google Books project, which saw 25 million books from major university libraries digitised at a cost of $400 million.

The stalling of that project – with scholars able to access only snippets of most digitised documents following intellectual property rights challenges – shows the risk of relying on private actors, however enthusiastic or rich, says Ball. “You don’t want decisions on ongoing curation and preservation of digital content in the hands of private actors or corporate interests – just look at Twitter, for example,” she notes, citing the platform’s decision to shut down researchers’ access to its data after it was purchased by Elon Musk in October 2022. “That’s one of the reasons why national libraries like the British Library are so vital. It’s important to have institutions committed to maintaining ongoing, original, unedited records of digital content and activity.”

Services at the British Library are starting to come back online, but there is some way to go yet. Last month, it was announced that access to the library’s entire physical collection – some 262 million linear kilometres of items and 750 million pages of newspapers and periodicals dating back to the 18th century – has been restored. However, about a million e-books and several million online articles deposited with the British Library since 2013 – when legal deposit laws were updated to include the placing of electronic items in the BL – have been out of reach to researchers at the UK and Ireland’s six legal deposit libraries, for whom the BL operates the system. That system is still offline, although it is close to returning, according to an update on 10 October.

As for EThOS and the UK Web Archive, there is no timeline for their return. However, 1,000 digitised manuscripts have recently reappeared online, even if there is no word about other resources such as the library’s audio and video archives.

In a statement, the British Library's chief executive, Sir Roly Keating, says he is “deeply sorry for the disruption [the hack] has caused to so many people’s research activities and equally grateful for the understanding and support we’ve received from so many quarters”.

While some services have been restored, Keating continues, the library’s “journey towards full recovery continues, with a new round of priorities under way, including restoration of access to the EThOS resource of 600,000 digitised theses, which I know has been sorely missed by many of our users in the academic community. The damage the attackers caused was significant, but we’re determined that the outcome in the long term will be a stronger, more resilient British Library.”

Ovenden makes no criticism of the library’s “valiant efforts in recovering their position after this catastrophe” as he outlines the scale of the task: “It needs to rebuild its systems, which includes integrity checks on all content to make sure there isn’t any hidden malware left behind – basically, hand grenades that would cause yet more damage.”

But while lessons will no doubt be learned, Ovenden hopes that the past year’s disruption will highlight the vital role of academic libraries in scholarly and national life – and what is lost when their core functions are compromised.

“I was walking some visitors round the Bodleian this morning, and they were stunned at how busy and vibrant it was – it was filled with people, mostly under the age of 30, accessing educational and research materials,” he says. “Libraries are crucial places if we want our knowledge economy to survive and thrive. That means investing in what we do.”

ADVERTISEMENT

jack.grove@timeshighereducation.com

POSTSCRIPT:

Print headline: ‘We are vulnerable when we go digital’

Register to continue

Why register?

  • Registration is free and only takes a moment
  • Once registered, you can read 3 articles a month
  • Sign up for our newsletter
Register
Please Login or Register to read this article.

Related articles

Sponsored

ADVERTISEMENT