Cyber Incident Victim: WTVG
Date:
Nov 2019
Location:
United States of America
Summary
A television station experienced a computer virus infection originating from a downloaded video file, which crippled its editing system and prevented video broadcasting capabilities. The malware disrupted regular programming, forcing shortened newscasts, substitutions with syndicated content, and reliance on live footage and graphics. Technical recovery required extensive decontamination of all affected equipment—including 45 laptops—by internal and corporate IT teams, with each device taking approximately an hour to clean. The virus exclusively impacted news and sports operations, sparing meteorological systems due to separate infrastructure. Initial symptoms involved slowed video playback, escalating to complete system failure after a restart attempt. Investigators concluded the incident was a random occurrence rather than a targeted attack. Staff adapted workflows to maintain limited broadcasts during remediation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 7, 2019, WTVG-TV (Channel 13abc) experienced initial technical disruptions when videos played at abnormally slow speeds during routine operations. Following the 11 p.m. newscast that evening, station personnel performed a system restart to address the performance issues, treating it as a minor operational nuisance. The situation escalated dramatically in the early hours of November 8 when a station employee notified News Director Mel Watson via 3 a.m. phone call that a computer virus had infected their editing systems. Forensic analysis indicated the malware originated from an opened video file, though investigators could not determine whether the source was a USB drive, Facebook video download, or corrupted SD card. The virus specifically targeted the station's ability to process, edit, and broadcast field-recorded video content, rendering these core functions inoperable.
The infection exclusively affected WTVG's news and sports departments, leaving meteorological operations untouched due to their separate computer infrastructure. Immediate operational impacts included the cancellation of the 4:30 a.m. newscast on November 8, replaced by ABC's *America This Morning*, while subsequent broadcasts relied heavily on live reporting and graphics instead of prerecorded video packages. The station shortened its noon newscast from one hour to 30 minutes and substituted *Inside Edition* for its regular 5:30 p.m. program. Response efforts involved WTVG's IT team and Gray Television corporate technicians systematically cleaning all infected equipment, including 45 editing laptops requiring approximately one hour per device for virus removal. Despite these constraints, the station maintained its 5 p.m., 6 p.m., and 11 p.m. newscasts on November 8, along with scheduled weekend programming, through improvised production methods that fostered collaborative problem-solving among staff. The incident remained classified as a random malware occurrence rather than a targeted cyberattack.