Cyber Incident Victim: PBS KVIE
Date:
Oct 2022
Location:
United States of America
Summary
PBS KVIE experienced an attempted ransomware attack affecting internal systems, prompting an immediate investigation and containment response that included taking systems offline, changing credentials, engaging cybersecurity experts, and notifying authorities. Critical systems such as broadcasting, payroll, membership, and accounting remained operational due to network segmentation, though unauthorized access to some internal data occurred without evidence of misuse. The organization declined ransom demands, opting to restore data from backups, though newer files and certain local production files were lost between backup intervals. Security enhancements were implemented post-incident, including additional safeguards and continued segmentation of mission-critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 31, 2022, PBS KVIE detected suspicious activity on its internal network, later identified as an attempted ransomware attack. President and General Manager David Lowe confirmed the organization immediately initiated an investigation upon discovery, implementing containment measures that included proactively taking affected systems offline, changing passwords, and engaging cybersecurity experts alongside law enforcement. Critical operational systems—such as broadcast operations, payroll, membership databases, and accounting—remained unaffected due to deliberate network segmentation isolating these mission-critical functions from the compromised internal network. While unauthorized access to some KVIE information occurred within the targeted network segment, investigators found no evidence that email systems or segmented donor/member data—which included encrypted credit card information stored in a separate secure system—were compromised. The attackers demanded payment to decrypt files and prevent data disclosure, but KVIE declined to pay, opting instead to restore systems from backups in coordination with law enforcement and data security professionals.
KVIE’s restoration process revealed limited data loss confined to newer files created between the last recoverable backup and the attack, along with some affected local production files requiring ongoing recovery efforts. Throughout the incident, broadcast operations continued uninterrupted. Between October 31 and the November 23 public disclosure, KVIE worked with cybersecurity specialists to add supplemental security controls to existing protections while methodically bringing systems back online. Forensic analysis confirmed no misuse of accessed data had occurred. The organization maintained its network segmentation strategy for critical systems during and after remediation, with external experts monitoring ongoing recovery and security enhancements. KVIE emphasized that its preexisting security architecture—specifically the isolation of sensitive member information and lack of stored accessible credit card numbers—prevented broader compromise despite the network intrusion.