One morning in October 2023, an accountant at Orion Township (Mich.) Public Library (OTPL) saw something alarming in her accounting software: file names written in Cyrillic.
Within an hour, library leaders had been alerted to the suspicious activity, and the IT director had disconnected the servers, halting a ransomware attack mid-strike. “We caught them in the act,” says OTPL Director Chase McMunn.
Worldwide, more than 15 million cyberattacks have been reported every year since 2020. At public institutions like libraries, these attacks often shut down core systems, compromise personal information of patrons and staff, and leave communities without access to certain services, all while demanding substantial resources to repair the damage.
Toronto Public Library (TPL) also faced a devastating breach in October 2023. Seattle Public Library (SPL) joined the list in May 2024. For each, recovery was long, complicated, and costly, but their experiences offer lessons in how libraries can respond and rebuild.
The early hours
OTPL staffers caught the ransomware attack in progress and cut it short. Because the malware hadn’t finished purging files before the servers were disconnected, recoverable copies in deleted folders allowed the library to restore systems within days.
When the immediate danger was clear, OTPL’s cyber insurance plan became a lifeline. “Once I reached out to our insurance [provided by the Michigan Municipal League], things moved really quickly,” McMunn says. The library was soon connected with legal experts in cybersecurity, who then initiated an investigation.
In Seattle, IT staffers first detected signs of an intrusion early on May 25, 2024. By 9 a.m., administrators had activated an incident command structure modeled on the Federal Emergency Management Agency’s National Incident Management System. They immediately engaged several outside consultants: Cybersecurity firms Critical Insight (a company SPL was already working with) and Alvaka helped identify and expel the attackers, two law firms—Mullen Coughlin and later Orrick—handled compliance and communication, and Charles River Associates managed data forensics.
“You need the expertise, and you most certainly need the manpower and the tools that they bring to the table,” SPL Executive Director and Chief Librarian Tom Fay says about contracting outside assistance.
TPL’s October 2023 attack also triggered a preexisting emergency plan. “It’s a three-tiered structure,” says Vickery Bowles, who recently retired as city librarian and led the system during the attack. Those tiers included the decision-making leadership team, the group that led the service recovery plan, and a team that managed frontline operations and internal communications. The city put TPL in touch with legal counsel, who clarified the library’s legal obligations related to privacy and identity theft, helped to engage a technical consultant, and established legal privilege to ensure that private details shared with consultants remain protected from later disclosure.
Bouncing back
If the first hours were about urgency, the months that followed demanded endurance. Restoring services required enormous effort, often physical as well as digital.
At TPL, all 100 library branches remained open throughout the attack, even as digital systems went offline. Staff continued providing services, including manually checking out materials, which created a backlog of work that employees later needed to digitize. Once services had been fully restored in February 2024, staffers processed new library card registrations first, then worked through 1.4 million returns and renewals. While working to restore services, IT staff painstakingly quarantined and checked each library computer for malware.
SPL staff faced a similar set of challenges. More than 1,000 computers systemwide were reimaged, and tens of thousands of books piled up at the maintenance and operations center waiting for processing. Communication also required improvisation: Staffers received updates via printed memos, and an emergency phone line provided daily status reports.
“Even if you paid the ransom, there’s no guarantee they’re going to destroy the data and not come back for more later.”—Vickery Bowles, retired city librarian at Toronto Public Library
Lessons learned
In the aftermath of their respective attacks, OTPL, SPL, and TPL point to a set of shared lessons. For example, demanding a ransom is common in ransomware attacks against public institutions, but legal experts often advise against paying. “Even if you paid the ransom, there’s no guarantee they’re going to destroy the data and not come back for more later,” Bowles says.
Structured response models were also vital for managing chaos. TPL had prepared for potential attacks by running tabletop exercises, which let staffers practice their roles in a simulated crisis. Cyber insurance gave OTPL a critical safety net, and transparent, fact-based communication preserved patron trust when systems, like the library’s website and county historical resources, were down.
All three libraries strengthened technical defenses after the attacks, including stronger firewalls, multifactor authentication, phishing simulations, and more robust intrusion detection. For TPL, the crisis even accelerated long-term digital priorities, Bowles says.
In addition, peer support can be an important recovery tool. Within days of attack at SPL, library leadership was on the phone with colleagues in Toronto and Boston, at the British Library, and in Singapore—all at institutions that had experienced ransomware incidents in recent years. Those conversations, Fay says, were both practical and reassuring, offering advice on recovery and a reminder that they weren’t alone.
“If a library system goes through it,” he says, “we’re always here to be on call if you have questions.”
A version of this article first appeared on americanlibraries.org on September 15, 2025.
