20 February 2026

Kashif Nazir, Technical Manager, Cloudhouse

More than two years after the attack, full restoration continues with some services still scheduled for recovery. This isn't just another cybersecurity cautionary tale. It's a story about what happens when decades of technical debt collide with modern threats and when structural vulnerabilities endemic across the sector finally come home to roost. Most importantly, it's a roadmap that every library, archive, museum, and university needs to study before facing their own reckoning.

The perfect storm: why one of the world's great libraries fell

The British Library wasn't careless or uniquely unprepared. It was caught in vulnerabilities that most cultural institutions share, making this incident a sector-wide warning rather than an isolated failure.

The likely entry point was a Windows Terminal Services server installed for partner and administrative remote access, particularly crucial during the pandemic when remote work became essential. The critical flaw was the absence of multi-factor authentication (MFA) on this system. While the Library had actually been ahead of the curve in rolling out MFA for cloud applications back in 2020, connectivity to on-premise systems – the legacy infrastructure running on local servers – sat outside this MFA scope pending a planned comprehensive upgrade that hadn't been completed when attackers arrived.

The UK Information Commissioner would later explicitly state that the attack escalated due to lack of MFA on an administrator account. With compromised credentials alone, obtained through phishing or brute-force attacks or password databases from previous breaches elsewhere, attackers gained legitimate-looking access that bypassed perimeter defenses entirely.

Many key systems were running end-of-life software, creating a painful double bind: they couldn't be adequately patched or secured before the attack, and they couldn't be simply restored afterward because they were incompatible with the modern security requirements needed for safe operation. The Library was caught in the classic legacy trap – systems too old to be secure but too critical to be easily replaced.

Adding to this complexity was the wide use of external suppliers and partners with varied access levels for research collaborations, technical maintenance, and specialised services. Some of these access pathways lacked the granular controls needed to limit potential abuse or detect suspicious behavior.

The destructive anti-forensic measures the attackers employed left profound gaps in understanding. Despite extensive investigation by the Library, the NCSC, and private cybersecurity firms, investigators couldn't definitively prove the exact entry method or reconstruct the complete attack chain. Even with world-class resources, some questions remain unanswered – a humbling reminder of how effective modern ransomware techniques have become.

This could be you: lessons for every institution

The vulnerabilities that enabled the British Library breach are endemic across libraries, archives, museums, and universities. The Library was actually better resourced and more sophisticated than many of its peers. If it could happen there, it could happen to virtually any cultural or educational institution.

The baseline controls every institution needs aren't revolutionary, but they're non-negotiable. MFA must cover everything – remote access, on-premise systems, privileged accounts, third-party connections – with no exceptions for convenience.

You cannot secure what you don't know you have. So, what do you do?

● Making comprehensive asset inventory with tracked lifecycle states and enforced retirement of end-of-life systems essential standard practice.
● Different functions should be isolated from each other through network segmentation, and user and service accounts should have only the minimum permissions needed so that a breach in one area doesn't automatically compromise everything.
● Backups must be protected from ransomware encryption and destruction and regularly tested for actual restoration, not just storage.
● Incident response plans need documentation, regular drills, and practiced procedures so crisis response is coherent rather than panicked.
● Third-party access requires centralised management, monitoring, and auditing with vendor access that's time-limited, appropriately scoped, and reviewed regularly.

Beyond specific controls, strategic shifts are necessary. Cyber risk must be understood and overseen at the highest governance level with dedicated budgets and clear accountability, not treated as an IT problem that executive leadership can delegate and forget. The goal isn't to make breaches impossible (sufficiently sophisticated attackers can breach almost anything) but to ensure the institution can continue mission-critical functions and recover within acceptable timeframes.

The sector benefits collectively when institutions share lessons learned, threat intelligence, and effective practices rather than hiding failures out of embarrassment. Incident response and continuity plans must assume the worst – servers destroyed, logs wiped, backups compromised – and prepare accordingly rather than optimistically planning only for encryption scenarios.

Your action plan

If you're responsible for technology, security, or leadership at a cultural or educational institution, start by reading the British Library's full cyber incident review this week and gathering your leadership team to ask honestly whether this could happen at your organisation. Identify where your MFA gaps exist, assess your backup restoration capability, and determine when you last actually tested it under realistic conditions (rather than just verifying that backup jobs complete successfully).

Within the month, conduct a rapid risk assessment focused on the specific vulnerabilities that enabled the British Library attack. Inventory your legacy systems and document all third-party access pathways. Identify your most critical single points of failure – the systems or access points where compromise would cause catastrophic mission impact.

Over the next quarter, develop or update your incident response plan with explicit provisions for destructive ransomware scenarios where simple restoration from backups won't work. Conduct a tabletop exercise that walks through realistic attack scenarios. Start closing your most critical security gaps through MFA implementation, backup improvements, and retirement of end-of-life systems that can't be adequately secured.

Throughout the next year, make cybersecurity a board-level strategic priority with dedicated multi-year funding, begin a phased modernisation program that addresses the most vulnerable legacy systems first, and build security awareness across your entire organisation so it's not just the IT team's responsibility.

The choice is ours

The British Library cyberattack is a story without villains beyond the obvious criminals – no scandal of negligence, no catastrophic blunder, no ignored warnings. It's a story instead of structural vulnerabilities, constrained resources, legacy burdens, and the immense difficulty of securing complex institutions with limited budgets against sophisticated, patient adversaries. That's precisely what makes it so important and so universally relevant.

Cultural institutions that confront their legacy debt, modernise proactively, embed security into operations and culture, and build genuine resilience will be the ones still serving their missions a decade from now. Those that defer these investments, hope luck protects them, or treat cybersecurity as someone else's problem are gambling with irreplaceable pieces of human heritage.

The British Library attack isn't just their story. It's a preview of challenges facing cultural institutions worldwide. How we respond – individually and collectively – will determine whether digital heritage becomes more vulnerable or more resilient in the decades ahead. The choice, and the time to act, is now.