The Philadelphia Inquirer is still working to recover normal operations after a cyber attack last week, which kept a Sunday edition from going to print and continues to keep employees out of the paper’s offices.
Though the paper’s print and online editions are continuing to roll out, there are lingering issues as employees work out of a makeshift office. After the attack began on a weekend morning and compromised the main content management system, staff scrambled to find alternate methods to post stories and continue to process classified ads.
Nature of cyber attack still not confirmed, but ransomware strongly suspected
About a week after it took place, details about the Inquirer’s cyber attack are still somewhat thin. The total disruption of systems and office closures point to ransomware, however.
In terms of damage, there has not yet been any word about employee or customer personal information being exfiltrated. Aside from the print Sunday edition being canceled (though the contents were made available online), the paper does not appear to be experiencing lasting operations issues other than suspending some classified ads temporarily out of “an abundance of caution” and experiencing delays in the posting of some stories.
Operations remain outside of the main offices, however, and that is a very strong signal that ransomware was involved in the cyber attack. Not only would the computers on site be useless until remediation is complete, connection of new devices to the compromised network could spread the infection.
If it is ransomware, remediation and a full normalization of operations could take a very long time. Ransomware is relatively rare in terms of cyber attacks on newspapers, which are usually targeted by advanced state-backed hackers looking to establish a long-term espionage foothold. But several that have ended up dealing with ransomware in recent years, including The Guardian in 2022, ended up having a recovery process that took months to complete.
Severe blow to Inquirer operations may have been due to lax cybersecurity policies
It would be improper to assign blame before more details of the case come out, but some of the Inquirer’s existing statements indicate that outdated cybersecurity policies may have played a role in clearing a path for the cyber attack.
For example, the paper reported that many of its systems were not protected by mandatory multi-factor authentication. It also said that employees had experienced spearphishing before, leaving questions about the state of training and general awareness at the company. Elements like backup policies, emergency recovery plans, and the presence or frequency of exercises to simulate situations such as this remain unknown.
Whatever the case, the paper has not had a sustained shutdown of operations since 1996. That incident was due to inclement weather rather than hacking, with a blizzard keeping employees out of the office for two days. There is not yet any word of potential culprits. The first activity associated with the attack was noticed by a cybersecurity contractor on May 11, and employees found that the paper’s content management system had been compromised on Saturday May 13.