Cyber Incident Victim: M6 Group
Date:
Oct 2019
Location:
France
Summary
The M6 Group, a major French multimedia company, experienced a ransomware attack that disrupted internal systems including phone lines and email servers, though its television and radio broadcasts remained operational without downtime. Cybersecurity personnel contained the infection, mitigating broader operational impacts, but residual technical issues persisted for multiple days. The incident prompted another French broadcaster, TF1, to suspend email communications with the affected organization as a precautionary measure against potential cross-infection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the morning of October 12, 2019, the M6 Group—France’s largest privately-owned multimedia conglomerate—experienced a ransomware attack impacting its internal infrastructure. The company detected the intrusion on Saturday and immediately activated its cybersecurity response team to contain the infection. Through rapid intervention, M6 prevented operational disruption to its core broadcasting services, ensuring continuous transmission across all ten television channels, radio stations, and film production facilities. Despite this containment success, ancillary systems including corporate phone lines and email servers remained offline through the following Monday, impairing internal and external communications. The incident prompted immediate operational adjustments from industry peers, with rival broadcaster TF1 instituting a ban on email communications with M6 personnel to mitigate potential cross-infection risks. M6 publicly acknowledged the attack via its official Twitter account, emphasizing the effectiveness of its incident response while confirming ongoing recovery efforts for non-critical systems.
The incident occurred against a backdrop of heightened anxiety within the French media sector regarding high-impact cyberattacks, particularly following the 2015 breach of TV5 Monde by Russian state-linked threat actors. In that earlier attack, hackers designated as Fancy Bear disrupted live broadcasts for hours, sabotaged digital platforms, and nearly destroyed archival data—an outcome M6’s team successfully avoided. Comparative analysis by industry observers noted M6’s relatively favorable operational position relative to other ransomware victims: The Weather Channel had suffered a 90-minute broadcast outage in April 2019 under similar circumstances, while U.S. radio giant Entercom endured two weeks of email and network disruptions earlier that year. M6’s containment of the ransomware to non-broadcast systems underscored the asymmetric impact of such attacks, where business operations like communications could remain impaired even when primary services were shielded. The incident reinforced existing sector-wide vigilance regarding cyber threats capable of disrupting critical media infrastructure.