London library 'almost fully recovered' from ransomware attack, CEO says

More than two months after a ransomware attack left its website, catalogue, and internal network offline for several weeks, officials with the London Public Library say they've managed to get things largely back to normal.

Details, however, are still elusive about the incident, including who was behind it, how much data was taken, and the total cost to undo the damage.

"I think the website is the one public-facing thing that we haven't quite been able to get back up. But for the most part, we've almost fully recovered," said Michael Ciccone, the library's CEO and chief librarian.

"We're just having some issues, finalizing some coding details, but hopefully, it'll be back relatively soon."

The Dec. 13 cyberattack caused widespread system outages at the library, forcing it to temporarily close some branches, and provide free credit monitoring to employees after learning the personal information of some staff members had been compromised.

It's still not clear who was behind the ransomware attack, or whether the library was specifically targeted. Most ransomware attacks are done at random through phishing campaigns or by exploiting unpatched network vulnerabilities.

Library officials won't say how ransomware infected their network, only that it wasn't a phishing incident, and that its catalogue and website weren't to blame.

They also add that it wasn't the result of a breach at a third-party vendor orshared servicesorganization, like ina ransomware incident that hit five southwestern Ontario hospitals in October.

Access to the library's online catalogue and to the web portal for library patrons was restored in mid-January, along with other digital services, such as access to OverDrive and audiobook platforms, according to the library website.

The cyberattack forced the library to strengthen its IT infrastructure, something Ciccone says it had been working on.

"We had plans in place, it's just that, because we don't have a stellar budget, we had to go slowly in building that cybersecurity, and it did probably, in the end, hurt our opportunity to really stave this," he said.

"We were having conversations, I think almost monthly, about it and our IT director was giving us updates on what he was planning to do. We didn't get there in time."

London Morning9:18A cyber security expert on why libraries are targets for hackers

The London Public Library's electronic systems were shut down by a "cyber incident" this week. Charles Finlay, the executive director of the Rogers CyberSecure Catalyst at Toronto Metropolitan University, joined London Morning to talk about why a library systems are being increasingly targeted and why public institutions aren't spending enough to stop it.

The library didn't pay a ransom to get its systems back up and running, and the full extent of the data stolen is not known yet, but it was "not extensive," Ciccone said.They also don't know whether it's been posted on the so-called dark web.

The organization has worked with police to investigate the incident, and has fulfilled its obligations with the Information and Privacy Commissioner of Ontario, he said.

It remains to be seen how much the library has had to spend mitigating the impacts of the ransomware attack and shoring up its defences against future ones. All Ciccone knows is, "it wasn't cheap."

"The expertise is not cheap. There's legal aspects that aren't cheap. It's certainly not near a million, but it's costly enough," he said.

"I don't want to speculate until I have all the numbers in... We had to do some upgrades that probably cost a significant amount of money."

Recovering from ransomware is a pricey endeavour. Last year, St. Marys, Ont. reported spending at least $1.3 million to investigate and recover from a ransomware attack it faced the previous summer.

The cybersecurity incident at London's library came two months after Toronto Public Library's systems were crippled by a severe ransomware attack, from which it is still recovering.

Library officials in Toronto previously said the incident was believed to have exposed the names, social insurance numbers, government identification, and addresses of employees dating back to 1998.