Newspaper giant Lee Enterprises says nearly 40,000 Social Security numbers leaked in ransomware attack

Nearly 40,000 people had their Social Security numbers exposed during a cyberattack in February on Lee Enterprises, one of the largest owners of local newspapers in the U.S.

The company notified regulators in Maine of the incident on Wednesday, telling them that it discovered the leak of sensitive information on May 28. 

Lee Enterprises spent weeks recovering from the damaging cyberattack discovered on February 3. A subsequent investigation revealed that the hackers accessed sensitive information belonging to 39,779 people. 

The letters to victims say the FBI was notified of the attack and Lee Enterprises pledged to “cooperate with any resulting investigation and provide whatever cooperation may be necessary to hold the perpetrators accountable.” Free credit monitoring services are being offered to victims for a year. 

The Qilin ransomware gang took credit for the attack, claiming to have stolen 350 gigabytes of data from the company. 

Qilin is a Russia-based cybercriminal operation known for devastating attacks on the British healthcare system and several other headline-grabbing incidents.  

The attack on Lee Enterprises was severe, halting print and online production of multiple newspapers across the U.S. including prominent outlets like the St. Louis Post-Dispatch, the Arizona Daily Star, the Buffalo News, the Sioux City Journal and more. 

The Iowa-based company owns about 350 weekly and specialty publications serving 72 markets in 25 states. In filings with the Securities and Exchange Commission, the company confirmed that hackers had stolen files and encrypted “critical applications” that impacted the distribution of products, billing, collections, and vendor payments. 

“While the full scope of the financial impact is not yet known, the incident is reasonably likely to have a material impact on the Company’s financial condition or results of operations,” they told regulators in February. “The Company is continuing its forensic investigation and analysis to assess the potential impact.”

During an earnings call last month, CEO Kevin Mowbray said it cost the company $2 million to recover from the cyberattack and noted that its advertising revenue was impacted because of how long so many of the newspapers were knocked offline. 

In light of the attack, the company’s lenders waived interest and rent payments for March and April.