Road to Recovery

On a morning in October 2023, an accountant at Orion Township (Mich.) Public Library (OTPL) saw something in her accounting software that alarmed her: file names written in Cyrillic.

Within an hour, library leaders had been alerted to the suspicious activity, and the IT director had disconnected the servers, halting a ransomware attack mid-strike. “We caught them in the act,” says OTPL Director Chase McMunn.

Ransomware attacks and cybersecurity incidents are no longer rare, with more than 15 million cyberattacks worldwide annually since 2020, and public institutions have become frequent targets. These attacks often shut down core systems, compromise personal information of patrons and library employees, and leave communities without access to certain services, all while demanding substantial resources to repair the damage.

Also in October 2023, Toronto (Ont.) Public Library (TPL), one of the largest systems in North America, faced a devastating breach. Seattle Public Library (SPL) joined the list in May 2024. For each, recovery was long, complicated, and costly, but their experiences offer lessons in how libraries can respond and rebuild.

The early hours

The ransomware attack at OTPL was already in progress when staffers cut it short. Because the malware hadn’t finished purging files before the servers were disconnected, recoverable copies in deleted folders allowed the library to restore systems within days.

When the immediate danger was clear, OTPL’s cyber insurance plan became a lifeline. “Once I reached out to our insurance [provided by the Michigan Municipal League], things moved really quickly,” McMunn says. The library was soon connected with legal experts in cybersecurity, who then initiated an investigation.

But acting fast came with complications. Because staffers disconnected the servers during the attack, forensic specialists couldn’t fully trace the source of the malware. “[It was] sort of like going to the crime scene and walking all over it,” McMunn explains.

In Seattle, IT staffers first detected signs of an intrusion early on May 25, 2024. By 9 a.m., administrators had activated an incident command structure modeled on the Federal Emergency Management Agency (FEMA) National Incident Management System. They immediately engaged several outside consultants: cybersecurity firms Critical Insight (a company SPL was already working with) and Alvaka helped identify and expel the attackers, Charles River Associates managed data forensics, and two law firms—Mullen Coughlin and later Orrick—handled compliance and communication.

“You need the expertise, and you most certainly need the manpower and the tools that they bring to the table,” Executive Director and Chief Librarian Tom Fay says about contracting outside assistance.

Toronto’s October 2023 attack also triggered a preexisting emergency plan. “It’s a three-tiered structure,” says Vickery Bowles, who recently retired as city librarian and led the system during the attack. Those tiers included the Cyber Response Leadership Team (CRLT), the Library Operations Centre that led the service recovery plan approved by CLRT, and the Management Response Team that coordinated internal communications and managed frontline operations.  The city put CLRT in touch with legal counsel, who joined the response on day one. Counsel clarified the library’s legal obligations related to privacy and identity theft, helped to engage a technical consultant, and established legal privilege to ensure that private details shared with consultants remain protected from later disclosure.

Bouncing back

If the first hours were about urgency, the months that followed demanded endurance. Libraries say that restoring services required enormous effort, often physical as well as digital.

At TPL, all 100 library branches remained open throughout the attack, even as digital systems including public computers, the library website, catalog and account access, and some digital materials and databases went offline. Staff continued providing services, including manually checking out materials, although that created a backlog of work that employees later needed to digitize. Once services had been fully restored in February 2024 staffers processed new library card registrations first, then worked through 1.4 million returns—which had been stored in 15 semi-trailers—and renewals. While working to restore services, IT staff painstakingly quarantined and checked each library computer for malware.

SPL staff faced a similar set of challenges. With core systems down, circulation reverted to pen and paper. More than 1,000 computers systemwide were reimaged, and tens of thousands of books piled up at the maintenance and operations center waiting for processing. Communication also required improvisation: Staffers received updates via printed memos, and an emergency phone line provided daily status reports.

At OTPL, most services returned quickly, but the attack had lasting effects. A denial-of-service attack in November 2023 overwhelmed the library’s website and knocked it offline, forcing staff to launch a temporary site in December while working on a permanent rebuild, which went live three months later.

Across all three library systems, resilience was central to carrying recovery forward. The work was often slow and tedious, but employees found ways to push through. At TPL, for example, the mountain of returns became a point of camaraderie, with branches turning processing them into a friendly competition.

Lessons learned

Demanding a ransom is common in ransomware attacks against public institutions, but legal experts often advise against paying. “Even if you paid the ransom, there’s no guarantee they’re going to destroy the data and not come back for more later,” Bowles says. OTPL’s legal counsel provided similar advice, cautioning that payment would carry no guarantee of recovery.

In the aftermath of their respective attacks, OTPL, SPL, and TPL point to a set of shared lessons. Structured response models, whether FEMA-inspired or locally designed, were vital for managing chaos. TPL had prepared for potential attacks by running tabletop exercises, which let staffers practice their roles in a simulated crisis. Cyber insurance, which covers expenses related to investigation, crisis communication, and legal services, gave OTPL a critical safety net, and transparent, fact-based communication preserved patron trust when systems, like the library’s website and county historical resources, were down.

Technical defenses have also been strengthened. All three libraries reported adopting new security mechanisms and protocols, including stronger firewalls, multifactor authentication, phishing simulations, and more robust intrusion detection. For TPL, the crisis even accelerated long-term digital priorities.

“We were able to advance many initiatives that would have taken years to achieve in a very short period of time,” Bowles says. While she emphasizes that it does not make up for the attack, “there was a silver lining.”

Peer support can also be an important recovery tool. Within days of attack at SPL, library leadership was on the phone with colleagues in Toronto and Boston, at the British Library, and in Singapore—all at institutions that had endured ransomware incidents in recent years. Those conversations, Fay says, were both practical and reassuring, offering advice on recovery and a reminder that they weren’t alone.

“If a library system goes through it,” he says, “we’re always here to be on call if you have questions.”