The city of Philadelphia’s largest newspaper couldn’t publish its Sunday edition last week due to a weekend cyberattack that caused the largest disruption to its production in 27 years. It’s still affecting daily operations, with no end in sight.
Staff of the Philadelphia Inquirer also were told to stay at home through at least May 16 due to ongoing disruptions, as the media company and third-party cybersecurity experts continue to work to restore systems after the attack, according to a report that the newspaper published on its website that detailed the incident.
The Inquirer continues to publish and update stories to Inquirer.com, “though sometimes slower than normal,” the article by the Inquirer’s Jonathan Lai said. Moreover, management still isn’t sure when the paper’s systems will be fully restored, said Inquirer publisher Lisa Hughes, who answered Dark Reading’s emails through a spokesperson.
The largest disruption occurred within print production, which left readers without a physical copy of their Sunday paper, and management and employees were unsure if they could publish on May 15. They did eventually manage the latter, but Monday’s print edition was without its classified and obituary sections, which will only reappear in the paper again on May 17, according to the article.
The incident — in which threat actors exploited a undisclosed vulnerability present on the paper’s system — so far has been the greatest publication disruption to the Inquirer since the blizzard of Jan. 7-8, 1996. It also came at an inopportune time for the news organization, just days before a key election that occurred yesterday in the city’s mayoral race.
The halt in production harks back to a major 2019 cybersecurity incident against Tribune Publishing, which owns several major US newspapers — including the Chicago Tribune and Baltimore Sun, as well as the Los Angeles Times — and affected production and delivery of those papers.
“We appreciate everyone’s patience and understanding as we work to fully restore systems and complete this investigation as soon as possible,” Hughes said, according to the article. “We will keep our employees and readers informed as we learn more.”
Attack Timeline
Inquirer management and staff still are not clear about when the attack began, though the first alert to suspicious activity occurred on Thursday, May 11, when Cynet, a vendor that manages the Inquirer’s network security, noticed something was amiss.
The paper operated normally through May 11-12, but on the morning of Sunday, May 14 employees could not access the paper’s content-management systems and had to put in place workarounds to post to Inquirer.com over the weekend, according to the article.
Though specifically what type of attack occurred or who is behind it has not been divulged by the paper, it’s clear by the extent of the disruption that it blindsided the media company, part of a sector that’s becoming an increasingly attractive target for cyber criminals, noted one security expert.
Indeed, the disruption in the wake of the attack is a stark reminder of the potential consequences of cyber threats and the urgent need for all organizations to have “robust cybersecurity measures,” noted Justin Rapacz, senior vice president of managed services at Netrix, a global provider of cybersecurity, cloud, and IT services.
“Comprehensive cybersecurity measures are no longer optional; they’re a necessity — this includes firewalls, intrusion detection systems, and antivirus software, complemented by regular updates and patches to eliminate potential vulnerabilities,” he says in an email to Dark Reading.
Stronger Cybersecurity Measures Needed
The attack on The Inquirer is not the first time the media outlet has been targeted by cybercriminals. Employees also have been targeted by spear-phishing campaigns that impersonated Hughes and other management, she said in her responses for Lai’s article.
And while one of the most basic cornerstones of security that an organization can take these days is multi-factor authentication (MFA), the Inquirer’s Hughes acknowledged that the paper has not so far required MFA across its key systems. That said, the effectiveness of MFA is diminishing as cybercriminals become more sophisticated, Netrix’s Rapacz notes.
“Having MFA is no longer enough,” he says. “The rise of hardware tokens represents the next step in MFA. These devices significantly reduce the risk of interception and duplication, providing an added layer of security and making them a more effective and secure form of MFA in the face of evolving cyber threats.”
Organizations also should practice regular penetration tests and an effective vulnerability management process to identify and address security weaknesses before they can be exploited by cybercriminals, Rapacz says.
“Proactive cybersecurity measures, such as continuous monitoring and regular security audits, can go a long way in preventing cyberattacks,” he says.
While Hughes said that The Inquirer has invested significantly in digital security in recent years — including monitoring and regular security audits from Cynet — the vulnerability that was exploited in the attack had not previously been flagged for investigation.
The incident also serves as a reminder of how important it is for organizations in general to develop “solid incident response and business-continuity plans,” Rapacz adds, as they “can help minimize downtime and maintain operations in the event of a cyberattack.”