The Calgary Public Library planned to reopen limited service in its branches on Wednesday, five days after a cyberattack shut down operations in the latest of a series of hacks of libraries globally.
The city’s library system shut down on the weekend because of the attack, although it hasn’t explained exactly what happened. The library says cardholders will be able to take out books and other materials, but nothing can be returned for now, and most of the library’s electronic services – including computer access, wireless internet and most online resources – will remain offline.
The attack came nearly a year after the Toronto Public Library was hit by a ransomware attack that kept most of the library’s services offline for four months. At the time, Calgary’s library said it had boosted security measures and was reminding staff to be vigilant but, on Friday, it revealed that it had failed to stop an attack.
Calgary Public Library spokeswoman Mary Kapusta said Tuesday it was too early in the investigation to share even basic details about the attack, including how the hackers gained access or whether user data had been compromised.
“Out of an abundance of caution, if you have a password that you share with your library account for other personal accounts, we are telling people and advising members to update those passwords,” she said.
Ms. Kapusta said that Calgary was able to learn from the Toronto Public Library’s staged resumption of full service after the cyberattack last year. Calgary created a restart protocol in the event of a hack, focusing on what services the library could provide without computer access.
“When we think about libraries, there’s tons of technology services and digital services we provide, but the most important value for libraries for a lot of people every day … is just having that kind of secure space for people to find information,” she said.
Calgary’s public library system has the second-highest usage in the country, with more than seven million in-person visits annually. It has more than 800,000 active members and close to 60 per cent of Calgarians are library users.
Toronto Public Library spokeswoman Ana-Maria Critchley said that a report into its attack has been shared with other libraries at conferences. “We’ve also met with libraries that have approached us to learn about our response and lessons learned,” she said in an e-mail.
Tom Keenan, a professor at the University of Calgary and vice-chair of the Information and Communications Technology Council of Canada, said that libraries offer an attractive target to hackers. Not only do vast numbers of people hold library cards, these people give up a fair amount of personal information.
He raised the hypothetical scenario of a hacker knowing you’d taken out several books about travel in Hawaii and then using that, plus the e-mail address on the library file, to send a malicious message purporting to offer a cheap flight. He also warned about the prospect of starting with library data to build a target profile allowing identity theft.
“If you pick up information from other sources, and people post things on Facebook and so on, their birthday and stuff like that, you can cobble together enough,” he said.
The attack in Calgary is part of a series of hacks on libraries and other municipal services in North America and Europe. These include attacks earlier this year on the City of Hamilton and on the B.C. Libraries Cooperative, a not-for-profit that builds and maintains IT services for member libraries.
Among the most high-profile attacks was a hack in October of last year that continues to limit user access at the British Library and the massive attack around the same time that shut down full access to Toronto’s public library services for months.
Both of those attacks were ransomware operations. In both cases, the libraries refused to pay. Ms. Kapusta said it was too early in Calgary’s investigation to say whether a ransom demand had been made.
The attack was revealed only two days after Calgary announced a “digital first” branch, a small location focused on technology services in the northeast of the city. The branch’s web-page listed the location Tuesday as “Closed until further notice.”