Guardian Media Group (GMG), the parent organisation of the UK’s Guardian newspaper, has confirmed that the 20 December cyber attack on its systems – which left staff locked out of its London office and disrupted key systems including print production, payroll and expenses – was an opportunistic and likely untargeted ransomware attack.
In an email to staff circulated in the afternoon of Wednesday 11 January, GMG chief executive Anna Bateson and Guardian editor-in-chief Katharine Viner said that the personal data of UK staff was compromised in the “highly sophisticated” incident, which they believe to have begun via a phishing attack, but said it was not, as some had speculated, related to politically motivated hacktivism.
“We believe this was a criminal ransomware attack, and not the specific targeting of the Guardian as a media organisation,” they said. “These attacks have become more frequent and sophisticated in the past three years, against organisations of all sizes, and kinds, in all countries. We have seen no evidence that any data has been exposed online thus far and we continue to monitor this very closely.”
Bateson and Viner added that there was no evidence to suggest that any reader or subscriber data, nor any data on the organisation’s Australian or US-based workforce, was accessed. Nor is it thought, at this stage, that any of the data that was compromised has been leaked.
The organisation has been working with third-party cyber forensics and other investigators to restore the affected systems.
Having previously told staff to work from home until at least Monday 23 January, it has now pushed back the return to its Kings Cross office back until early February to enable its IT and security teams to better focus on the recovery efforts.
GMG did not attribute the attack to any known ransomware operation, nor did it say whether or not it has engaged with its attackers or paid a ransom – a tactic that is in general highly inadvisable.
Egnyte cyber security director Neil Jones praised GMG for being more upfront about its experience than many others.
“The recent ransomware attack at the Guardian is obviously unfortunate, but the attack does have an unprecedented silver lining. This is the first time I can ever remember an organisation acknowledging an attack immediately, even providing updates about it on its own website,” he said.
“There are several key lessons that can be learned from this incident: organisations need to combine ransomware detection and recovery solutions with effective data recovery programmes; companies need to have incident response plans in place, to effectively notify their customers, employees, business partners and the news media of potential breaches; and during these dynamic times, routine technological audits need to occur on a more frequent basis than they did before to prevent vulnerabilities from being exploited.”