The Guardian confirms criminals accessed staff data in ransomware attack

The Guardian has confirmed that the cyber incident it experienced in December was a criminal ransomware attack and that the attackers are believed to have accessed staff data.

An email detailing the attack, seen by The Record, explains that the newspaper “detected suspicious activity on our networks on Tuesday 20th December, resulting in our decision to close our offices and announce the disruption the next day.” The Guardian published details about the email soon afterwards.

Staff were subsequently told to work from home until at least January 23 — now postponed until early February — and the company contacted the data protection regulator to comply with legal requirements around data breaches.

According to the email, the Guardian says it is “now clear that we experienced a highly sophisticated cyber attack involving unauthorized third-party access to parts of our network, which appears to have been triggered by a phishing attack.”

The attack was described as affecting many of the company’s key systems, its IT network, and “some” of its  data.

"We believe this was a criminal ransomware attack, and not the specific targeting of the Guardian as a media organization. These attacks have become more frequent and sophisticated in the past three years, against organizations of all sizes, and kinds, in all countries.  We have reported this incident to the UK Information Commissioner’s Office and to the UK police and are keeping them updated.

We took steps to shut down and secure our network as soon as we detected the attack. We then activated our response plan, and we engaged online threat monitoring services and a number of external experts to assist. We have seen no evidence that any data has been exposed online thus far and we continue to monitor this very closely.”

The investigation was described as “complex and ongoing” and the email confirmed that, while the Guardian could not yet assess the impact of the incident fully, it has established “that some files containing the personal data of UK staff have been accessed as part of the attack.

The email, signed by the newspaper’s editor Katharine Viner and chief executive Anna Bateson, said that the sensitive data accessed related to employment details, including “name, National Insurance number, address, salary, identity documents such as passports.”

“We are arranging a support service for all UK staff from the credit and data analytics firm Experian free of charge,” said the email, sent days after independent journalist Brian Krebs revealed that identity thieves had been exploiting a security weakness in Experian’s website to access its customers’ reports — which, he found, were often inaccurate.

The Guardian acknowledged that “there is the potential for these types of data to be combined and used for identity fraud” but said it has “seen no evidence that personal data has been exposed online, and so the risk is low. We are continuing to monitor for this.”

Alongside the Experian service, the editor and chief executive said they were seeking advice from other identity experts.

The email also advised Guardian staff to “use strong passwords and change them regularly.” This is the opposite of advice issued by the National Cyber Security Centre which warns: "Regular password changing harms rather than improves security."

The email warned it was likely to be several weeks before most of the Guardian’s systems were fully operational, although “thanks to ongoing work from our technology teams” it hopes to have the first of its critical systems running within the next two weeks.