Cyber Incident Victim: KQED Public Media
Date:
Jun 2017
Location:
United States of America
Summary
A ransomware attack targeted San Francisco's public broadcasting organization, forcing widespread operational disruptions as internet-connected systems were isolated to contain the infection. The incident caused prolonged reliance on manual processes and offline workflows, with numerous devices and services remaining disconnected for over a month following initial containment efforts. This significantly impacted daily operations across the station's technical and journalistic functions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 15, 2017, KQED, a public television and radio station based in San Francisco, experienced a ransomware attack that compromised its computer systems. The organization responded by isolating infected devices, disconnecting all internet-connected equipment, tools, and machinery to contain the malware's spread. This immediate containment strategy forced staff into a low-tech operational mode, severing access to networked resources essential for regular workflows. The attack persisted for over a month, with many systems remaining offline as of the July 18, 2017 reporting date. Journalists and other personnel adapted to manual processes reminiscent of pre-digital workflows due to sustained network restrictions. No specific ransomware variant or attack vector was disclosed in available reporting.
The prolonged disruption significantly impacted KQED's daily operations, requiring staff to maintain basic functions without standard internet-dependent tools. While critical broadcasting systems remained operational through alternate means, the isolation of infected devices created persistent workflow challenges across editorial and administrative departments. The station did not publicly disclose whether data was exfiltrated or whether ransom demands were issued or paid. Recovery efforts extended beyond the initial month, indicating substantial remediation complexity. Operational continuity relied on segmented low-tech procedures until systems could be systematically restored and secured.