Last year’s cyberattack on the Calgary Public Library (CPL) would have made a lousy heist film. After all, the hackers ended up with bupkis. The incident would have made an excellent training video, however. On what was arguably the institution’s worst day, the library did everything right. The CPL’s digital guard dogs started barking on the afternoon of Oct. 10, 2024. Cybersecurity staff received a notification alerting them to a malware attack on the library’s computer network. “Malware is code that’s basically there to do harm,” says Jim Chisholm, the CPL’s chief technology officer and director of technology. “It enables a threat actor like a hacker to get into your system and start doing bad things.”
Libraries worldwide have faced a spate of such break-ins over the last few years. In October 2023, hackers attacked the British Library, the Library of Congress and the Toronto Public Library. Attackers hit Hamilton Public Library’s system the following February. Hackers target such public institutions in an attempt to steal personal information or hold control of the systems for ransom. The gang who attacked the British Library, for example, demanded 600,000 British pounds in cryptocurrency. When the library refused to pay, the hackers published nearly a half million documents containing personal information on the dark web. It was a year before the British Library restored full access to its printed collections, and its sound archive and digital theses resources still haven’t been repaired.
The CPL’s cybersecurity apparatus remains constantly vigilant for such attacks. “We have systems that continually look for the signature of malware code on our systems,” Chisholm says. He likens the library’s cybersecurity systems to that of a bank. Just as a bank’s alarm will sound when thieves break a window or force open a door — long before they ever reach the vault — an automatic notification gets sent out to all the members of the library’s IT team the moment malware is detected. And this isn’t necessarily uncommon. Occasionally, a staff member might accidentally trigger something the system doesn’t understand and set the guard dogs off. For example, if an employee innocently clicked a link that silently redirected to a potentially malicious website, the cyberdefense systems would be alerted. “I’d say, almost 90 per cent of the time, you check and see it’s something minor,” Chisholm says.
Not this time. As soon as the alarms went off, Chisholm and his team assessed the severity of the attack and the significance of the threat actor. “Is this someone in their basement getting lucky, or are we being attacked by something more sinister and larger and sophisticated?” asks Chisholm. The complexity of the October hacker’s malware scripts revealed a worst-case scenario. “We were being attacked by a sophisticated professional organization, and up against something that has got some significant capability,” he says.
Fortunately, the playbook for such an attack had already been written almost two years earlier — even before Chisholm joined CPL in March 2024. Businesses constantly face cyberattacks. This is the new reality. “It’s less about ‘if’ an organization will be attacked, it’s when,” Chisholm says. Organizations need modern, sophisticated defences, along with plans for when the defences are breached. “These playbooks help reduce the confusion and anxiety during an attack and greatly reduce the time to recover,” Chisholm affirms.
CPL staff simply had to execute the plan that was already in place. They didn’t hesitate. By Oct. 11, library staff across the city turned off every computer in every branch. They also informed patrons they had to leave and locked the doors behind them. The only surefire way to stop such an attack is to shut everything down.
In some ways, library staff had been there before. “We’re battle-tested,” says CPL CEO Sarah Meilleur. Many had worked during the 2013 flood when library branches needed to abruptly close. Many more employees worked during the pandemic, managing the multiple closures, openings and restrictions. “We became very adept at working to provide as much service to the community as we could within the restrictions that were available, and working to keep everyone safe,” Meilleur says. “Our teams are really committed to the work that we do to serve the community and [are] also flexible and resilient.”
Thanks to the quick work of CPL staff, the hackers never breached the library’s “vault” of information. No patron or staff data was compromised. The heist was a bust. But much work remained. The library needed time to ensure its system was secure and that malware wasn’t still lurking on a hard drive somewhere. Investigators physically examined each of the more than 2,000 devices in the CPL system. Every single public computer was wiped and rebuilt with a new operating system. Servers were assessed and cleaned. This process took several weeks.
In the meantime, the CPL system reopened five days after the alert, and served patrons as best they could. Services came back in cautious stages. No Wi-Fi was available at the branches at first. E-books were available, but, for physical books, patrons were asked to ignore due dates and avoid returning books.
With their computers down, librarians checked out books the old-fashioned way, by writing down library card numbers and bar codes in a ledger. According to Meilleur, 640,000 individual items were checked out during the six-week ordeal. By the end of December, a majority of library services had returned, but not all.
For Meilleur, the cyberattack revealed the library’s importance to its vast community. More than 818,000 Calgarians, or 57 per cent of the city’s population, according to CPL, are active library members. Meilleur feels nothing but gratitude towards them. “Love and thanks to Calgarians for their patience and support of their library,” she says. “And for showing all the library love.”
6 Week Timeline
October 10
Calgary Public Library staff is alerted to an attempted hack.
October 11
Staff across the city turn off every computer in every branch and close early to the public; investigators begin physically examining each of the thousands of devices in the CPL system.
November 21
Members can access their accounts and locations begin to accept and process holds and returns.
December 11
Public Wi-Fi is available again at all library locations.
Mid-to-late December
Full services return to branches in stages; libraries are up and running normally by the new year.