Data watchdog will leave British Library alone – further probes 'not worth our time'
No MFA? No problem – as long as you show you’ve learned your lesson
The UK's data protection overlord is not going to pursue any further investigation into the British Library's 2023 ransomware attack.
The Information Commissioner's Office (ICO) said it doesn't think its resources would be best spent on UK's national library, even though it was such a disaster due to MFA not being applied on an admin account.
"Having carefully considered this particular case, the Information Commissioner decided that, due to our current priorities, further investigation would not be the most effective use of our resources," a statement read.
"We have provided guidance to the British Library, which has reassured us about its commitment to continue to review and ensure that appropriate security measures are in place to protect people's data."
In the short post on the matter, the ICO – like many others in the cybersecurity community have done since the digital break in – lauded the British Library for its stellar approach to responsibly disclosing the ransomware attack.
From the start, the library issued regular, comprehensive updates about its recovery status, and in March 2024 it published a full review of the attack, outlining in depth the institution's IT weaknesses and the lessons it learned.
The ICO commended the British Library for its crisis comms, which major organizations are still struggling to emulate years later.
"Following the incident, the British Library published a cyber incident review in March 2024, which provided an overview of the cyber-attack and key lessons learnt to help other organisations that may experience similar incidents.
"We commend the British Library for being open and transparent about its system vulnerabilities that contributed to the incident, the impact it has had, and the improvements made so far to protect people's personal information. "
The ICO's decision to leave the library in peace is taken at a time when internal resource constraints have contributed to performances that break the wrong records.
- M&S takes systems offline as 'cyber incident' lingers
- Oracle's masterclass in breach comms: Deny, deflect, repeat
- Public sector cyber break-ins: Our money, our lives, our right to know
- British Library's candid ransomware comms driven by 'emotional intelligence'
Earlier this month, the regulator revealed that it missed its complaint response targets by the biggest margin since it started tracking them, and due to current staffing levels, its performance is expected to decline further.
Illustrating the size of the backlog, it said the goal is to respond to all complaints within 90 days, however, only 12.3 percent of complaints from the latest quarter were thoroughly assessed.
For context, the ICO has a lot on its plate. For a small-ish team operating out of a modest office in Wilmslow, a small English town in Cheshire East, it received more than 10,000 complaints during the most recent quarter, an increase of 746 compared to the three months prior.
The ICO confirmed it was hiring for various roles and "significant digital and process changes" were on the way, with the aim of easing the burden. ®