Statement on British Library’s 2023 ransomware attack

In October 2023, the British Library reported a ransomware attack to us, which escalated because of the lack of multi-factor authentication on an administrator account.  

Following the incident, the British Library published a cyber incident review in March 2024, which provided an overview of the cyber-attack and key lessons learnt to help other organisations that may experience similar incidents.  

We commend the British Library for being open and transparent about its system vulnerabilities that contributed to the incident, the impact it has had, and the improvements made so far to protect people’s personal information.  

Having carefully considered this particular case, the Information Commissioner decided that, due to our current priorities, further investigation would not be the most effective use of our resources.  

We have provided guidance to the British Library, which has reassured us about its commitment to continue to review and ensure that appropriate security measures are in place to protect people's data. 

Cyber security guidance  

Organisations must take proactive steps to assess and mitigate risks against cyber attacks, such as implementing comprehensive multi-factor authentication (or an equivalent measure), regularly scanning for vulnerabilities and keeping systems up to date with the latest security patches.    

We have detailed guidance on protecting systems from ransomware attacks, as well lessons learnt from common security mistakes.