Personal Data Stolen in British Library Cyber-Attack Appears for Sale Online

The British Library has confirmed that personal data stolen in a cyber-attack has appeared online, apparently for sale to the highest bidder. From a report: The attack was carried out in October by a group known for such criminal activity, said the UK's national library, which holds about 14m books and millions of other items. This week, Rhysida, a known ransomware group, claimed it was responsible for the attack. It posted low-resolution images of personal information online, offering stolen data for sale with a starting bid of 20 bitcoins (about $750,000). Rhysida said the data was "exclusive, unique and impressive" and that it would be sold to a single buyer. It set a deadline for bids of 27 November.

The images appear to show employment contracts and passport information. The library said it was "aware that some data has been leaked, which appears to be from files relating to our internal HR information." It did not confirm that Rhysida was responsible for the attack, nor that the data offered for sale was information on personnel. Academics and researchers who use the library have been told that disruption to the institution's services after the serious ransomware attack was likely to continue for months. This week, the library advised its users to change any logins also used on other sites as a precaution.

$750,00 for one buyer?

[ukoda]

One does have to wonder how the data could be worth $750,000? While you ponder that do you really think they would sell only one copy if two buyers came for to meet that price?

Re:

[nospam007]

"One does have to wonder how the data could be worth $750,000?"

It's a list of British people who read.
Both of them.

UK government

[jd]

...is woefully under-prepared for cyber threats. The attack a few years back on the NHS should have been impossible - proxy servers and firewalls would have been adequate to disconnect the inside of hospitals from the public Internet. There is never a need to have critical services exposed like that.

This most recent attack shows that things haven't improved much. Databases aren't encrypted and critical computers are still directly connected.

I'm impressed the British Library is running Linux and nginx (Netcraft confirms it) but, self-evidently, there were problem with the setup. If threats were properly isolated and contained, the British Library would be back up and running by now. [netcraft.com]

That tells us that their investigations have to cover more than just a proxy in a DMZ and some database logs. They're having to check a lot of systems, from the looks of it. It's the only reason I can think of for taking weeks to restore their website.

This shouldn't be happening. I can understand some issues - Cisco keep finding zero-day vulnerabilities and that weakens everything. But if everything is properly patched and hardened, hackers might still have been able to take out the website but shouldn't have been able to access so many machines that it would take weeks to carry out the forensics and undo the damage.

This is, according to some reports, a very common problem with governmental systems. The civil service simply isn't paying attention to security. I'm honestly not impressed with cyber security in the private sector, either. The level of complacency is infuriating and the attitude that the exposure of sensitive private data of customers and employees is merely the cost of doing business is, in my opinion, unacceptable.

This could get ugly

[Miles_O'Toole]

Oh, look...every book Rishi Sunak has withdrawn for the last six years contains pictures of...well, let's leave that for another day. The cheque just cleared.

Why does my employer...

[Otis B. Dilroy III]

need to store my passport information?