Data watchdog will leave British Library alone – further probes 'not worth our time'
(2025/05/01)
- Reference: 1746094514
- News link: https://www.theregister.co.uk/2025/05/01/ico_brit_library/
- Source link:
The UK's data protection overlord is not going to pursue any further investigation into the British Library's 2023 ransomware attack.
The Information Commissioner's Office (ICO) said it doesn't think its resources would be best spent on UK's national library, even though it was such a disaster due to MFA not being applied on an admin account.
Time to examine the anatomy of the British Library ransomware nightmare [1]READ MORE
"Having carefully considered this particular case, the Information Commissioner decided that, due to our current priorities, further investigation would not be the most effective use of our resources," a statement read.
"We have provided guidance to the British Library, which has reassured us about its commitment to continue to review and ensure that appropriate security measures are in place to protect people's data."
In the short [2]post on the matter, the ICO – like many [3]others in the cybersecurity community have done since the digital break in – lauded the British Library for its stellar approach to responsibly disclosing the ransomware attack.
[4]
From the start, the library issued regular, comprehensive updates about its recovery status, and in March 2024 it published a [5]full review of the attack , outlining in depth the institution's IT weaknesses and the lessons it learned.
[6]
[7]
The ICO commended the British Library for its crisis comms, which [8]major organizations are still struggling to emulate years later.
"Following the incident, the British Library published a cyber incident review in March 2024, which provided an overview of the cyber-attack and key lessons learnt to help other organisations that may experience similar incidents.
[9]
"We commend the British Library for being open and transparent about its system vulnerabilities that contributed to the incident, the impact it has had, and the improvements made so far to protect people's personal information. "
The ICO's decision to leave the library in peace is taken at a time when internal resource constraints have contributed to performances that break the wrong records.
[10]M&S takes systems offline as 'cyber incident' lingers
[11]Oracle's masterclass in breach comms: Deny, deflect, repeat
[12]Public sector cyber break-ins: Our money, our lives, our right to know
[13]British Library's candid ransomware comms driven by 'emotional intelligence'
Earlier this month, the regulator revealed that it [14]missed its complaint response targets by the biggest margin since it started tracking them, and due to current staffing levels, its performance is expected to decline further.
Illustrating the size of the backlog, it said the goal is to respond to all complaints within 90 days, however, only 12.3 percent of complaints from the latest quarter were thoroughly assessed.
For context, the ICO has a lot on its plate. For a small-ish team operating out of a modest office in Wilmslow, a small English town in Cheshire East, it received more than 10,000 complaints during the most recent quarter, an increase of 746 compared to the three months prior.
[15]
The ICO confirmed it was hiring for various roles and "significant digital and process changes" were on the way, with the aim of easing the burden. ®
Get our [16]Tech Resources
[1] https://www.theregister.com/2024/03/25/opinion_column/
[2] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/04/statement-on-british-library-s-2023-ransomware-attack/
[3] https://www.theregister.com/2024/05/20/the_british_library_owes_lauded/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aBOanrVhSZ2ySD3sB9Ph2gAAA0w&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.theregister.com/2024/03/11/british_library_slaps_the_cloud/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBOanrVhSZ2ySD3sB9Ph2gAAA0w&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBOanrVhSZ2ySD3sB9Ph2gAAA0w&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/04/02/oracle_breach_disaster_planning/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBOanrVhSZ2ySD3sB9Ph2gAAA0w&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/04/24/marks_spencer_outage_ongoing/
[11] https://www.theregister.com/2025/04/02/oracle_breach_disaster_planning/
[12] https://www.theregister.com/2024/11/04/public_sector_breakins_opinion/
[13] https://www.theregister.com/2024/05/20/the_british_library_owes_lauded/
[14] https://www.theregister.com/2025/04/08/ico_recruitment_drive/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBOanrVhSZ2ySD3sB9Ph2gAAA0w&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://whitepapers.theregister.com/
The Information Commissioner's Office (ICO) said it doesn't think its resources would be best spent on UK's national library, even though it was such a disaster due to MFA not being applied on an admin account.
Time to examine the anatomy of the British Library ransomware nightmare [1]READ MORE
"Having carefully considered this particular case, the Information Commissioner decided that, due to our current priorities, further investigation would not be the most effective use of our resources," a statement read.
"We have provided guidance to the British Library, which has reassured us about its commitment to continue to review and ensure that appropriate security measures are in place to protect people's data."
In the short [2]post on the matter, the ICO – like many [3]others in the cybersecurity community have done since the digital break in – lauded the British Library for its stellar approach to responsibly disclosing the ransomware attack.
[4]
From the start, the library issued regular, comprehensive updates about its recovery status, and in March 2024 it published a [5]full review of the attack , outlining in depth the institution's IT weaknesses and the lessons it learned.
[6]
[7]
The ICO commended the British Library for its crisis comms, which [8]major organizations are still struggling to emulate years later.
"Following the incident, the British Library published a cyber incident review in March 2024, which provided an overview of the cyber-attack and key lessons learnt to help other organisations that may experience similar incidents.
[9]
"We commend the British Library for being open and transparent about its system vulnerabilities that contributed to the incident, the impact it has had, and the improvements made so far to protect people's personal information. "
The ICO's decision to leave the library in peace is taken at a time when internal resource constraints have contributed to performances that break the wrong records.
[10]M&S takes systems offline as 'cyber incident' lingers
[11]Oracle's masterclass in breach comms: Deny, deflect, repeat
[12]Public sector cyber break-ins: Our money, our lives, our right to know
[13]British Library's candid ransomware comms driven by 'emotional intelligence'
Earlier this month, the regulator revealed that it [14]missed its complaint response targets by the biggest margin since it started tracking them, and due to current staffing levels, its performance is expected to decline further.
Illustrating the size of the backlog, it said the goal is to respond to all complaints within 90 days, however, only 12.3 percent of complaints from the latest quarter were thoroughly assessed.
For context, the ICO has a lot on its plate. For a small-ish team operating out of a modest office in Wilmslow, a small English town in Cheshire East, it received more than 10,000 complaints during the most recent quarter, an increase of 746 compared to the three months prior.
[15]
The ICO confirmed it was hiring for various roles and "significant digital and process changes" were on the way, with the aim of easing the burden. ®
Get our [16]Tech Resources
[1] https://www.theregister.com/2024/03/25/opinion_column/
[2] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/04/statement-on-british-library-s-2023-ransomware-attack/
[3] https://www.theregister.com/2024/05/20/the_british_library_owes_lauded/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aBOanrVhSZ2ySD3sB9Ph2gAAA0w&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.theregister.com/2024/03/11/british_library_slaps_the_cloud/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBOanrVhSZ2ySD3sB9Ph2gAAA0w&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBOanrVhSZ2ySD3sB9Ph2gAAA0w&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/04/02/oracle_breach_disaster_planning/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBOanrVhSZ2ySD3sB9Ph2gAAA0w&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/04/24/marks_spencer_outage_ongoing/
[11] https://www.theregister.com/2025/04/02/oracle_breach_disaster_planning/
[12] https://www.theregister.com/2024/11/04/public_sector_breakins_opinion/
[13] https://www.theregister.com/2024/05/20/the_british_library_owes_lauded/
[14] https://www.theregister.com/2025/04/08/ico_recruitment_drive/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBOanrVhSZ2ySD3sB9Ph2gAAA0w&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://whitepapers.theregister.com/
Underfunded by design
Dan 55
Just like the [1]Irish DPC .
[1] https://www.irishlegal.com/articles/data-protection-watchdog-continues-to-suffer-indefensible-underfunding
I bought a jug of milk yesterday
Grunchy
It had a tamper proof seal under the cap.
They all come that way now.
The ICO - busy not making work for itself.
VoiceOfTruth
Now any organisation can do the same as the British Library. And when the ICO comes knocking, they can demand the same treatment.
What does the ICO actually do, apart from pretending to be important?
Re: The ICO - busy not making work for itself.
graeme leggett
First they would have to treat the occurrence as diligently as the BL.
I have always found that telling an organisation to correct information they hold about me or I will complain to the ICO about. them breaching the UK's GDPR tone quite effective. Let's hope they don't read this and reckon they can get away with braking the Act. 'Coz let's face it, proper funding and staffing for the ICO is not that high on the government's agenda right now.