Lessons from the British Museum cyber attack

In October 2023, the British Museum faced a significant attack on its cyber infrastructure that resulted in the theft and destruction of 600GB worth of data, including the personal data of its users and staff. The attacker’s demand for a ransom went unpaid and the data was dumped on the dark web, where it faced exploitation by other criminal actors.

The most significant impact was on the library’s research facilities, and the loss of pre-attack software that cannot be recovered.

It is this latter point that demonstrates the significance of this type of attack. The library’s cyber-infrastructure was based on a patchwork of different software that they had outsourced from a range of different suppliers, which had been acquired over time through mergers. It was maintained by a technology team that faced staff shortages and a lack of capacity. These factors enabled both the success of the initial infiltration and exacerbated the severity of the result.

These features are found in other public sector institutions, such as universities and hospitals, where significant spending restraints have led to similarly outsourced software and a lack of adequate expertise in-house. It is not merely the fact that the software used is outsourced, but also its age. A lack of funds mean that software is often kept beyond its recommended ‘life’ and grows increasingly vulnerable to sophisticated hacking groups.

As important as up-to-date cybersecurity is, it has not been a priority for many institutions. As a result, only 50% of higher education institutions report having a strategy in place for addressing cyber-attacks. That the University of Cambridge, Manchester and Wolverhampton all faced attacks in recent months demonstrates this insufficiency.

The library has published a detailed report that highlights its particular weaknesses, and lessons for the wider public sector. These lessons emphasised three things, firstly, the importance of multi-factor authentication at all points of access to the system. Secondly, regularly training staff at all levels in cyber-security and ensuring senior staff have sufficient expertise and access to external cyber-security specialists. Finally, prioritising keeping software up-to-date and maintaining capability to recognise and respond to intrusions.

Moreover, while there is no way to make any system entirely secure, the library’s response demonstrates the importance of business continuity plans and of sharing best practices and information with their peers and partners as a way to reduce the severity of any attack.

It is unfortunate that the attack on the library led to months of disruption, disruption that is ongoing and may not be resolved even in 18 months’ time, but this does not mean that others cannot learn from the process.