Hackers may have accessed Inquirer subscriber and employee personal data in 2023 cyberattack

About 25,500 Philadelphia Inquirer subscribers, employees, former employees, and employees’ family members on company benefit plans may have had their personal information exposed in a May cyberattack, Inquirer publisher and chief executive officer Lisa Hughes said Friday.

The company announced in an internal email to employees that outside cybersecurity experts had found no evidence that the data had been misused to commit identity theft or fraud. In an e-mailed response to follow-up questions, Hughes said that Social Security numbers, driver’s license numbers, financial account information, and medical information may have been accessed.

The company will send letters to people who may have been impacted with details about what information was compromised and will offer complimentary credit monitoring and identity restoration services.

The update comes at the conclusion of what The Inquirer called a “complex, methodical, and lengthy process” to investigate the incident.

The investigation was unable to identify the specific individual or individuals who were behind the attack or their motivations, Hughes said. She declined to share what files may have been impacted, citing confidentiality reasons.

Cyberattacks, which have more than doubled in recent years, pose a major threat to businesses, governments, and consumers around the world.

Locally over the past year, the City of Philadelphia, Pennsylvania Courts, the Bucks County Department of Emergency Management, Comcast, and the Borgata in Atlantic City have responded to attacks, some of which severely disrupted operations for days and potentially exposed people’s confidential health and financial information.

The incident at The Inquirer was detected on May 11, 2023, when Cynet, a vendor that manages security, alerted the company of suspicious network activity. By May 13, 2023, some of the Inquirer’s publishing systems were impacted, and workarounds had to be created to post stories online.

In the days after the incident, Hughes said The Inquirer had “discovered anomalous activity on select computer systems and immediately took those systems off-line.” The company also notified the FBI.

The Inquirer couldn’t print its normal Sunday newspaper, and employees — who are on a hybrid schedule with one mandatory in-office day — weren’t allowed to access the newsroom for several days. Digital publication was not impacted.

A ransomware group called Cuba, which has hacked other businesses and governments around the globe, later claimed responsibility for the attack, and posted online what it said were stolen Inquirer files containing Inquirer data. A day later, however, Cuba removed the claim from its site on the dark web. Hughes at the time said the company had not seen evidence that any Inquirer information was actually shared. When asked at the time, she did not say whether The Inquirer had paid a ransom in exchange for the claim’s removal.

In recent years, ransomware attacks have targeted news organizations, including the Los Angeles Times, which was majorly disrupted during a 2018 attack. In these incidents, malicious software locks users out of their system and demands payment to reopen it.

In the months since the Inquirer’s incident, the company has increased digital security, including by requiring multifactor authentication on its systems.

“The Inquirer takes this event and the security of information in its care very seriously,” Hughes said. “The Inquirer regularly evaluates the evolving risk landscape and implements controls to mitigate those risks.”