Subscribe for 99¢
St. Louis Public Library

Library employees Liz Reeves (left) and Barb Knotts try out the new interactive computer screen in the Creative Experience room of the library. Reeves is Director of Development and Knotts is the Electronic Collections Manager. The St. Louis media got a sneak preview of the downtown St. Louis Public Library on Wednesday, Dec. 5, 2012, before the re-opening on Sunday, Dec. 9, 2012. Photo by J.B. Forbes jforbes@post-dispatch.com

Patrons were shut out of 700 public computers Thursday after hackers blocked the St. Louis Public Library’s server. Books and other materials could not be checked out.

In a “ransomware attack” late Wednesday or early Thursday, hackers demanded an amount in bitcoin to reopen the library’s server, said Jen Hatton, spokeswoman for the library system. The library does not want to release the amount of the ransom because of an FBI investigation. Bitcoin is an online currency that can be difficult to trace.

“We’re not going to pay,” she said Thursday.

Although the server was hacked, the library stores no personal or financial information on it, Hatton said. Patrons and employees do not need to worry about stolen personal data, she said.

Patrons’ addresses are collected in connection with books and other items that are checked out, but those are not stored on the library server. An outside vendor handles the checkout information, but communication between the vendor and the library’s server is down. Library staff members also are unable to send emails or access the internet.

“We are still working to identify the scope of the hacking,” Hatton said, however. At this time, the library’s 16 locations are not allowing checkouts. “I hope we will be able to start checking out sometime today, but I don’t know a time frame.”

A cybersecurity researcher, however, believes the library’s system was more vulnerable than the institution indicates.

Eric Nicholson, who is working on his master’s degree in computer science at Washington University, sent the library’s help desk an email in October 2015 that said his research team “discovered a major vulnerability in the Online Card Application page.”

He also wrote that “anyone who registers for a library card online is vulnerable to having their identity stolen via the SLPL website in its current state.”

Nicholson was examining the website as part of a project for a cybersecurity class. He sent the library screenshots of a sample registration that showed the patron’s address, birthdate and PIN. Often, people use the same PINs and passwords over and over, so a hacker may try to access a victim’s other accounts.

There was no immediate response from the library regarding Nicholson’s warning or whether website upgrades unveiled in November included security changes.

The local libraries will remain open for patrons to come in to browse and read materials or do their own work. The St. Louis Public Library consists of the Central Library at 1301 Olive Street and 15 branches. Many patrons reserve library computers for schoolwork or to look for jobs. Reserved computers will not be available.

The library’s website is still up, and patrons at home or off-site locations can access downloadables (e-books, e-music) and digital material from Hoopla and other vendors.

The library reported the attack to the FBI, but Hatton said the library’s own technology employees should be able to restore service. Tech services staff discovered the attack early Thursday. It had not been determined whether the attack took place late Wednesday or early Thursday.

Hatton characterized ransomware attacks as fairly common. With such an attack, the hackers demand the victim pay so they can regain control of their computer system.

Norton, a company that provides computer security software, says on its website that ransomware attacks and other scareware scams may bring in up to $150 million a year to scammers. It says:

“The criminals often ask for a nominal payment, figuring you’ll be more likely to pay to avoid the hassle and heartache of dealing with the virus. They may ask for as little as $10 to be wired through Western Union, paid through a premium text message or sent through a form of online cash.”

Hollywood Presbyterian Medical Center in California paid a $17,000 ransom in bitcoin to a hacker, the Los Angeles Times reported last year.