Cyber Incident Victim: Gannett
Date:
Mar 2017
Location:
United States of America
Summary
A media company experienced a phishing attack targeting human resources staff via fraudulent emails, which potentially compromised approximately 18,000 current and former employee accounts. The incident was detected when attackers attempted an unauthorized corporate wire transfer, flagged as suspicious by the finance team and ultimately unsuccessful. While no sensitive personal data or customer information was confirmed to have been accessed or acquired, affected individuals were offered credit monitoring due to potential exposure of account credentials before the compromised accounts were secured. The attack leveraged malicious links in deceptive emails, a common method to infiltrate networks and escalate access internally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 30, 2017, Gannett Co., owner of USA TODAY and 109 local news properties, discovered a phishing email attack targeting its human resources staff. The company's cybersecurity team immediately launched an investigation, determining that the attack originated from fraudulent emails designed to compromise employee accounts. The perpetrators attempted to leverage a compromised account to initiate a fraudulent corporate wire transfer, but Gannett's finance team identified the suspicious transaction request and prevented its completion. This detection mechanism revealed the broader phishing campaign, which potentially affected approximately 18,000 current and former employees. While attackers gained access to some account credentials through malicious email links, Gannett confirmed no evidence suggested unauthorized access to or acquisition of sensitive personal data from these accounts. The company swiftly locked down all compromised accounts to contain further infiltration.
The incident's impact centered on potential exposure of employee information accessible through the hijacked login credentials, though no customer account data was affected. Gannett initiated a notification process through the U.S. Postal Service to inform all 18,000 individuals about the breach and offered complimentary credit monitoring services as a precautionary measure. The phishing attack employed standard tactics, using deceptive emails to trick recipients into clicking malicious links that installed malware to harvest credentials. Gannett's containment response included account lockdowns before attackers could escalate network access beyond initial entry points. The company maintained there was no operational disruption to its publishing operations or compromise of journalistic systems during or after the incident.