In an email sent to staff on Wednesday local time, the attack was described as a “highly sophisticated cyber-attack involving unauthorized third-party access to parts of our network.” The attack vector is believed to have been most likely a successful phishing email.
Personal data of U.K. staff members are said to have been accessed during the incident. Reader and subscriber data, along with information relating to Guardian staff in the U.S. and Australia, is not believed to be accessed.
No evidence has been found of the data being shared online, with employees told that the risk of fraud is therefore considered low. The email did warn, though, that “there is the potential for these types of data to be combined and used for identity fraud.” Affected staff are being offered free support against identity theft from Experian plc.
“We believe this was a criminal ransomware attack and not the specific targeting of the Guardian as a media organization,” the email read. “These attacks have become more frequent and sophisticated in the past three years, against organizations of all sizes, and kinds, in all countries.”
The attack, which occurred in the week before Christmas, did not affect the online publishing of The Guardian but resulted in a disruption to behind-the-scenes services. Employees were also told to work from home while the attack was being dealt with.
Forward three weeks and Guardian staff are still working from home and a return to working at the newspaper’s office has been postponed until early February. The Guardian expects some critical systems to be back up and running “within the next two weeks.”
“This is a lesson that no matter the industry you are in, you are a target for ransomware,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “The initial infection vector here, email phishing, is one of the most common and successful attack types when it comes to ransomware.”
“Organizations should ensure they have good, tested, and off-line backups, and should ensure they are educating their staff on how to identify and report phishing emails,” Kron added. “In addition, data loss prevention controls are critical as bad actors often steal data and use the threat of releasing it publicly to extort victims.”