Cybersecurity is one of the growing concerns of our digital age, and public libraries are not immune to attacks or intrusion attempts by cybercriminals seeking to gain access to sensitive data.
Unfortunately, it has become increasingly common for hackers to target the most respected of community institutions, as several recent attacks have shown:
-
On October 28, 2023, Toronto Public Library suffered a ransomware attack that took key technical systems offline, including the library’s internal network, website and public computers. As Library Journal reported, "Although TPL managed to keep all of its 100 branches open and host programs throughout the ordeal, patrons were unable to access their library accounts online or use the library’s computers for more than two months."
-
On the very same day, the British Library began to experience technical issues, including an outage of its Wi-Fi network and online catalog. As it turned out, the United Kingdom's largest library had been targeted in a ransomware attack by a hacker group called Rhysida. When the library refused to pay the ransom, the hackers leaked some 600GB of data onto the dark web, including personal details of library users and staff members. The British Library has estimated it will use about 40% of its financial reserves — around £6–7 million, to recover from the attack.
-
Seattle Public Library, meanwhile, is still dealing with the fallout of a May 25, 2024, ransomware attack. According to a June 18 article from The Stranger, users can still check out physical and digital media through the Libby app and the Seattle Public Library Overdrive site, and all 27 branch buildings remain open. Many vital services, however, are still missing: "Borrowers cannot return physical media or place holds on anything, Interlibrary Loans are down, in-building Wi-Fi is down, public computers are down, mobile hotspots are virtually impossible to checkout, the catalog won’t update, and no one can use the printers."
See also:
-
Data privacy: Why libraries need to prioritize safeguarding patron information
-
Does the use of ChatGPT in libraries pose a threat to data security?
-
Practical, responsible and human-centered: The future of AI in libraries
Cybersecurity measures can keep users' data safe
To help us understand what specific vulnerabilities make a public library such an appealing target for cybercriminals, and what what libraries can do to protect themselves against malware and ransomware attacks, PressReader tapped the considerable knowledge and expertise of Dr. Brady Lund.
Lund is an Assistant Professor in the Department of Information Science at the University of North Texas's College of Information. Lund is the author or co-author of a large number of journal articles examining the impact of technology on libraries and academia, from malware to artificial intelligence.
PressReader: There have been a number of high-profile cyberattacks on public libraries in recent months — including the ones against the Toronto Public Library, British Library and Seattle Public Library. Why do cybercriminals launch such attacks against libraries, and what sort of information are they after?
Dr. Brady Lund: There are several reasons that cybercriminals may target public libraries. Public libraries have a lot of data about their patrons — names, phone numbers and email addresses, physical addresses, and transaction records. They may also have payment details if a patron has paid fines or made purchases.
Many of the libraries that are targeted are large and have considerable budgets and massive resources but lack significant investment in cybersecurity compared to private entities of the same size. Many also have poorly secured networks for the public, which makes everyone who has used the network vulnerable as well.
Libraries are often targeted for ransomware attacks — where the attackers seize library data and block access to systems — because of their high visibility and their collections of this patron data. There is likely a belief among attackers that the visibility of the attack and the fact that it compromises the privacy of many members of the community will result in public pressure to pay a ransom to regain access to the library systems and data.
PressReader: What cybersecurity measures can libraries implement in order to ensure that patron and employee information is secure? Is there specific technology that can help, or best practices that library staff should follow?
Lund: Every library, regardless of the size and type, should conduct regular privacy and security audits. At least once a year, a committee should review all systems and possible vulnerabilities and make recommendations to the administration.
Often, the greatest vulnerability within any organization is people — especially employees. If the account of one employee can be compromised, then the attacker may soon gain access to a wide variety of systems and data.
For this reason, it is critical to provide regular training and test your employees’ cybersecurity awareness.
Ultimately, zero trust cybersecurity, where everyone accessing a network must continuously prove who they are using certificates and receives limited access to only the information they need, is an ideal solution, but it may be impractical given the resources available to many libraries.
PressReader: Does the use of generative AI tools — ChatGPT, for example — in libraries increase the risk of security breaches or other issues? How can this be mitigated?
Lund: Yes, the use of AI tools like ChatGPT can expose a library to cybersecurity risks. Many of these tools collect some information about users and their queries. This creates vulnerabilities for the user as well as the library.
Libraries need to develop appropriate policies pertaining to the use of AI and privacy and security risks. They should also educate the public about the risks of AI usage. Many members of the public are not aware that these risks exist and freely divulge highly sensitive information to these AI tools.
How patrons can stay safe
At PressReader we believe it is crucial for patrons to feel secure when using online tools at their local public library branch. After all, library members all over the world use our platform to bring a universe of content within reach, accessing more than 7,000 newspapers and magazines from around the globe.
When it comes specifically to the use of AI, it's important to remember that while this technology has many potential benefits for staff and patrons alike, tools such as ChatGPT come with inherent risks. As we noted in a previous blog post, users can safeguard their privacy by doing the following:
-
Limiting sensitive information: Users should refrain from sharing personal or sensitive data across conversations with ChatGPT.
-
Reviewing privacy policies: Before using an OpenAI language model, they must carefully review the privacy policy and data handling practices for conversations and their usage.
-
Using anonymous or pseudonymous accounts: Using anonymous or pseudonymous accounts is a wise call when using ChatGPT or similar AI models.
-
Monitoring data retention policies: Users must familiarize themselves with the data retention policies of ChatGPT and similar platforms to gain a better understanding of how long their conversations are stored before they are deleted or anonymized.
-
Staying informed: Library users must keep themselves up to date with any changes to OpenAI’s security measures or privacy policies.
Cybersecurity is an ongoing commitment
As we have stressed previously, we exist in an age in which prioritizing data security is no longer optional — it is absolutely imperative. To ensure the privacy of each library user, librarians and support staff must take proactive measures.
Robust cybersecurity practices — starting with educating staff and adhering to legal and ethical standards — can foster trust and confidence. It's all part of an ongoing commitment that will help libraries fulfill their role as a key part of the community's social infrastructure.
