The Guardian has confirmed that threat actors stole the personal data of UK staff members during the ransomware attack that affected its systems on December 20, 2022.
The updates come from The Guardian Media Group's chief executive, Anna Bateson, and The Guardian's editor-in-chief, Katharine Viner, who emailed staff members on Wednesday.
The executives have described the incident as a "highly sophisticated cyber-attack involving unauthorized third-party access to parts of our network," probably caused by a successful phishing attempt. They have also said that the attack was not directly targeting The Guardian.
"We often hear incidents of this type described as 'sophisticated,' when in fact it is fairly common and easy to execute – a ransomware attack infiltrating a network via a simple phishing attempt is a tale as old as time," commented Dominic Trott, head of strategy at Orange Cyberdefense.
"I believe the days of referring to 'spray and pray' phishing as a sophisticated attack are behind us [...] Therefore, this incident should drive home the reality that it doesn't take much to infiltrate a major organization, so training and awareness of even the simplest techniques used by cyber-criminals shouldn't go forgotten."
At the same time, Bateson and Viner clarified that the publication had no reason to believe the personal data of readers and subscribers, as well as The Guardian US and The Guardian Australia staff, was accessed.
Even concerning the stolen data of UK staff, The Guardian executives said they had found no evidence of data being exposed online, so they considered the risk of fraud low.
Still, according to Erich Kron, security awareness advocate at KnowBe4, the attack should serve as a lesson that no matter the industry, everyone can be a target of ransomware.
"To prepare for ransomware, organizations should ensure they have good, tested and off-line backups, and should ensure they are educating their staff on how to identify and report phishing emails," Kron told Infosecurity.
"In addition, data loss prevention (DLP) controls are critical as bad actors often steal data and use the threat of releasing it publicly to extort victims."
The Guardian added that while some critical systems will be back up and running "within the next two weeks," returning to office work has been postponed until early February, confirming Bateson's analysis from last week.