ARTICLE AD BOX
By Yasmin Rufo
Culture reporter
The British Library has confirmed that a cyber attack in October has led to a leak of employee data.
The attack, which took place on 31 October, has also resulted in the library's website being down for almost a month.
The Rhysida ransomware group claim to be behind the attack, and say they will auction off the stolen data.
The cyber gang say the price for data, that includes passport scans, has been set at 20 Bitcoin (£596,459).
The British Library, the UK's largest library, posted on X, saying: "Following confirmation last week that this was a ransomware attack, we're aware that some data has been leaked. This appears to be from our internal HR files."
However, it added that it has "no evidence that data of our users has been compromised", and it has not confirmed that the data being sold at auction belongs to British Library employees.
A National Cyber Security Centre (NCSC) spokesperson said it was working with the library to "fully understand the impact" of the incident.
It added: "Ransomware is the key cyber threat facing the UK, and all organisations should take immediate steps to limit risk by following our advice on how to put in place robust defences to protect their networks."
On Monday the Rhysida ransomware group said it was behind the attack and shared an image to its leak site on the dark web showing various documents, some of which appear to be HMRC employment contracts and passports.
The BBC has not verified whether the data is real.
The cyber criminals said an auction for "exclusive, unique and impressive data" would end just before 0800 GMT on 27 November, and would be sold to one single-party winner.
On 15 November the FBI and the US Cybersecurity & Infrastructure Security Agency issued a warning on the threat posed by Rhysida.
In a joint statement, it said: "Threat actors leveraging Rhysida ransomware are known to impact 'targets of opportunity', including victims in the education, healthcare, manufacturing, information technology, and government sectors."
The group are also behind recent attacks on the Chilean army, the Portuguese city of Gondomar and the University of West of Scotland.
Analysis
Joe Tidy, BBC Cyber Correspondent
These kinds of attacks are sadly extremely common with ransomware gangs like Rhysida successfully stealing troves of data from companies and disrupting operations every day.
Advice from law enforcement agencies around the world is always to refuse to pay a ransom to these criminals as it fuels their industry, but sadly many victim organisations do to cover it up or return to normal as swiftly as possible.
As a public institution it's highly unlikely that British Library will cave to the cyber criminals' demands so Rhysida are left with a mass of stolen data that they need to make money from as quickly as possible before moving on to the next victim.
The timer on their darknet leak site appears to be counting down to a time (in six days) when the stolen data will be either given away for free or deleted.
It's a troubling time for the employees who may be more at risk of identity fraud, but it also could have been far worse had the hackers gained entry to more sensitive or larger data sets housed by the British Library.
In a statement, the world-renowned library, which has one of the largest book collections in the world, says it "anticipates restoring many services in the next few weeks, but some disruption may persist for longer". The attack has had an impact on the library's website, online systems and services such as book ordering.
The statement added: "If you have a British Library login and your password is used elsewhere, we recommend changing it as a precautionary measure.
"We've taken targeted protective measures to ensure the integrity of our systems, and we're continuing to investigate the attack with the support of NCSC [National Cyber Security Centre], the Metropolitan Police and cybersecurity specialists."