Incident Types: The types of cybersecurity incidents that have occurred include Ransomware and Cyber Attack.

Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with robust backup strategies, containment measures with air-gapped storage systems, containment measures with tested disaster recovery procedures, and enhanced monitoring with ncsc early warning service, and and containment measures with refusal to pay £600,000 ransom, containment measures with manual workflows implemented, and remediation measures with partial system restoration (digital forms for orders), remediation measures with ongoing recovery efforts, and recovery measures with gradual service restoration, recovery measures with negotiations with trade unions, and communication strategy with public acknowledgment of impact, communication strategy with union engagements for pay disputes, and third party assistance with expel (security researchers), and communication strategy with public disclosure via the register/techradar..

Common Attack Types: The most common types of attacks the company has faced is Ransomware.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through spoofed Bing adsfake Microsoft Teams download pages.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personally Identifiable Information (Pii), Employment Records, Passport Scans, Addresses and .

Third-Party Assistance: The company involves third-party assistance in incident response through Expel (security researchers), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Partial system restoration (digital forms for orders), Ongoing recovery efforts, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by robust backup strategies, air-gapped storage systems, tested disaster recovery procedures, , refusal to pay £600,000 ransom, manual workflows implemented and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Gradual service restoration, Negotiations with trade unions, .

Key Lessons Learned: The key lessons learned from past incidents are The measures represent a fundamental shift in approaching ransomware threats, aiming to disrupt the cyber criminal business model while protecting critical services.Critical reliance on digital systems in modern libraries,Need for robust incident response and staff support,Long-term operational impacts of ransomware refusal,Importance of addressing staff welfare post-breachMalvertising campaigns exploiting trusted brands (e.g., Microsoft Teams) and search engines (Bing) can effectively bypass user skepticism. Continuous monitoring of ad networks and proactive takedowns of spoofed pages are critical to mitigating such threats. Users should verify download sources and avoid clicking on ads, even from reputable platforms.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: UK Government Announcement, and Source: The IndependentUrl: https://www.independent.co.ukDate Accessed: 2025-10-XX, and Source: TechRadar (via The Register)Url: https://www.techradar.comDate Accessed: 2025-07, and Source: Expel (security research).

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Acknowledgment Of Impact, Union Engagements For Pay Disputes and Public Disclosure Via The Register/Techradar.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Trade Union (Pcs) Engagements, Public Statements On Pay Disputes, Service Disruption Notices, Apologies For Prolonged Outages, , Users Advised To Avoid Clicking On Bing Ads For Microsoft Teams And Verify Download Sources. and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Ncsc Early Warning Service, , Expel (Security Researchers), .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Partial System Restorations, Union Negotiations For Staff Pay, Dark Web Monitoring For Leaked Data, , Bing/Microsoft To Implement Stricter Ad Vetting For Branded Keywords (E.G., 'Microsoft Teams')., Security Awareness Training For Users On Identifying Malvertising., Proactive Hunting For Rhysida-Affiliated Malware (Oysterloader, Latrodectus) In Enterprise Environments., .

Last Ransom Demanded: The amount of the last ransom demanded was £600,000.

Last Attacking Group: The attacking group in the last incident was an Rhysida ransomware group.

Most Recent Incident Detected: The most recent incident detected was on October 2023.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-07.

Most Significant Data Compromised: The most significant data compromised in an incident were Staff personal details (addresses, passport scans), Operational data and .

Most Significant System Affected: The most significant system affected in an incident was Technology infrastructure of the British Library and Digital ordering systemsEbooksArchives and manuscripts catalogueOnline journal articlesLibrary management systems.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was expel (security researchers), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Robust backup strategiesAir-gapped storage systemsTested disaster recovery procedures, Refusal to pay £600 and000 ransomManual workflows implemented.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Operational data, Staff personal details (addresses and passport scans).

Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was £600,000.

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Importance of addressing staff welfare post-breach, Malvertising campaigns exploiting trusted brands (e.g., Microsoft Teams) and search engines (Bing) can effectively bypass user skepticism. Continuous monitoring of ad networks and proactive takedowns of spoofed pages are critical to mitigating such threats. Users should verify download sources and avoid clicking on ads, even from reputable platforms.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Invest in cyber resilience and backup systems, Improve staff compensation and mental health support, Monitor dark web/underground forums for signs of Rhysida affiliate activity or stolen data sales., Implement stricter ad verification processes on platforms like Bing to prevent spoofing., Adopt Cyber Essentials certification framework, Utilize NCSC Early Warning service, Accelerate system restoration to reduce manual workloads, Transparency in post-incident communications, Enhance email/web filtering to block malicious .LNK files and associated payloads., Educate users on recognizing fake download pages and verifying URLs before downloading software., Deploy endpoint detection and response (EDR) solutions to detect and block malware like OysterLoader and Latrodectus. and Enhance dark web monitoring for leaked data.

Most Recent Source: The most recent source of information about an incident are Expel (security research), UK Government Announcement, TechRadar (via The Register) and The Independent.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.independent.co.uk, https://www.techradar.com .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (as of 2025).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Trade union (PCS) engagements, Public statements on pay disputes, .

Most Recent Customer Advisory: The most recent customer advisory issued were an Service disruption noticesApologies for prolonged outages and Users advised to avoid clicking on Bing ads for Microsoft Teams and verify download sources.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Inadequate cybersecurity defenses (specifics undisclosed)Lack of redundant manual systemsDelayed recovery timeline, Lack of ad verification on Bing allowing spoofed Microsoft Teams ads.User trust in branded ads/search results leading to clicks on malicious links.Effective use of .LNK files to bypass initial security controls..

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Partial system restorationsUnion negotiations for staff payDark web monitoring for leaked data, Bing/Microsoft to implement stricter ad vetting for branded keywords (e.g., 'Microsoft Teams').Security awareness training for users on identifying malvertising.Proactive hunting for Rhysida-affiliated malware (OysterLoader, Latrodectus) in enterprise environments..