Extra! Extra! Don’t quite read all about it: Cyber attack hits Philadelphia Inquirer

Breaking news, literally

A cyber "incident" stopped The Philadelphia Inquirer's presses over the weekend, halting the Sunday edition's print edition and shutting down the newspaper's offices to staff until at least Tuesday.

The Inquirer reported the disruption on its website, and quoted publisher Lisa Hughes, who promised to keep staff and readers informed about the situation. However, she added, the newspaper didn't have "an exact timeline" as to when the systems would be back up and running as usual.

On Saturday the weekend staff reported that the content management system – industry jargon for the publishing software used to write, edit, and put out stories and titles – for the paper wasn't allowing them access; Hughes said her IT security staff "discovered anomalous activity on select computer systems and immediately took those systems off-line."

Though it was unable to print its Sunday edition, it will continue to publish articles online, and the newsroom may still be closed on Tuesday's mayoral primary election night; Hughes said the cyber attack won't affect coverage.

"We appreciate everyone's patience and understanding as we work to fully restore systems and complete this investigation as soon as possible," Hughes said. "We will keep our employees and readers informed as we learn more."

The newspaper's network security vendor alerted The Inquirer about the intrusion last Thursday, according to CBS News. It's unclear when the initial network breach happened, or how the intruders gained access.

Hughes, according to The Inquirer, declined to say which other systems had been affected, what - if any - data had been stolen, and whether this includes readers' information. She also said the company notified the FBI, and that the ongoing probe prevented her from commenting about who was responsible for the cyberattack. Infosec shop Kroll is said to be investigating.

In a statement to The Register, Hughes said:

On May 11, The Philadelphia Inquirer discovered anomalous activity on select computer systems and immediately took those systems offline. We are working with third-party forensic specialists from Kroll to restore systems and fully investigate the matter.

In the meantime, we continue to provide Philly and the region with the latest news through all of our normal platforms: Inquirer.com, e-Edition, print editions, newsletters, and social media. Our investigation into this matter is ongoing, and we will continue to keep our employees and readers informed as we learn more.

The security of our network and systems is a top priority. Based on the results of our investigation, we will take action as needed to help prevent a similar situation from occurring in the future.

The IT downtime, which Pennsylvania's largest news organization described as its worst disruption since a two-day blizzard in January 1996, hit The Inquirer just days before Tuesday's Democratic mayoral primary election.

It's an especially heated race in heavily Democratic Philadelphia with national implications. Pennsylvania is a must-win for US President Joe Biden if he wants to imagine a second term in the Oval Office.

There's also no word as to whether ransomware is to blame for the publishing snafu, although that would be a safe bet given the frequency of which these infections occur and the pressing nature of the target's business, which can make paying up a more attractive option.

"Ransomware operators are, for the most part, financially motivated," Jon Miller, CEO and co-founder of cyber resilience company Halcyon, told The Register.

"They continue to go after both high-value targets that have the means to pay high ransom demands, as well as industries that traditionally have understaffed and underfunded security operations that cannot adequately defend against these more complex, multi-stage attacks, eg media outlets," Miller added. 

And, as crooks look for more ways to monetize cybercrime, stealing sensitive data and then threatening to publish it online if businesses don't pay up — or simply selling the stolen info on dark-web marketplaces — makes large-scale data theft in these types of breaches increasingly common.

IT outsourcing giant Capita, which suffered a major break-in in March, recently warned that sensitive details of almost half a million members were held on servers accessed during the recent breach. 

Meanwhile, Black Basta, the extortionists who claimed they were the ones who lately broke into Capita, have reportedly put this data up for sale, including bank account information, addresses, and passport photos, stolen from the IT outsourcing giant.

Additionally, last week Western Digital admitted that customer information was indeed stolen during the March security breach, forcing the storage manufacturer to shut down its online store.

Finally, there's the case of Dragos, an infosec outfit, that went full disclosure on attempts by miscreants to break into its systems. Though those would-be intruders claimed they had pwned the biz, Dragos instead said the ransomware crooks broke into the personal email inbox of a new sales employee, and used that to masquerade as the starter and access some of the org's "SharePoint and the Dragos contract management system." It's argued that the intruders weren't able to move through the network and deploy their extortionware.

"No Dragos systems were breached, including anything related to the Dragos Platform," the biz stated. ®

More about


Send us news

Other stories you might like