Newspaper article St Louis Post-Dispatch (MO)

Hack of St. Louis Public Library Freezes Checkouts, 700 Computers

Newspaper article St Louis Post-Dispatch (MO)

Hack of St. Louis Public Library Freezes Checkouts, 700 Computers

Article excerpt

Patrons were shut out of 700 public computers Thursday after hackers blocked the St. Louis Public Library's server. Books and other materials could not be checked out.

In a "ransomware attack" late Wednesday or early Thursday, hackers demanded an amount in bitcoin to reopen the library's server, said Jen Hatton, spokeswoman for the library system. The library does not want to release the amount of the ransom because of an FBI investigation. Bitcoin is an online currency that can be difficult to trace.

"We're not going to pay," she said Thursday.

Although the server was hacked, the library stores no personal or financial information on it, Hatton said. Patrons and employees do not need to worry about stolen personal data, she said.

Patrons' addresses are collected in connection with books and other items that are checked out, but those are not stored on the library server. An outside vendor handles the checkout information, but communication between the vendor and the library's server is down. Library staff members also are unable to send emails or access the internet.

"We are still working to identify the scope of the hacking," Hatton said, however. At this time, the library's 16 locations are not allowing checkouts. "I hope we will be able to start checking out sometime today, but I don't know a time frame."

A cybersecurity researcher, however, believes the library's system was more vulnerable than the institution indicates.

Eric Nicholson, who is working on his master's degree in computer science at Washington University, sent the library's help desk an email in October 2015 that said his research team "discovered a major vulnerability in the Online Card Application page."

He also wrote that "anyone who registers for a library card online is vulnerable to having their identity stolen via the SLPL website in its current state."

Nicholson was examining the website as part of a project for a cybersecurity class. He sent the library screenshots of a sample registration that showed the patron's address, birthdate and PIN. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.