Cyber Incident Victim: Rheinische Post Mediengruppe

On the evening of Friday, June 16, 2023, a cyber attack was launched against Circ IT, the in-house IT service provider for the Rheinische Post Mediengruppe. This incident resulted in the widespread disruption of numerous online news portals operated by the media group. The attack specifically targeted the service provider, exploiting its role as a full-service provider to the publishing house in a supply-chain attack. The technical problems caused by the breach at Circ IT directly impacted the websites of its parent company's media properties, leading to their failure or severely restricted availability.

The impact was extensive, affecting a significant portion of the Rheinische Post Mediengruppe's digital news presence. Confirmed affected websites included the main portal of the Rheinische Post Mediengruppe itself, the primary news website rp-online.de for the Rheinische Post newspaper, the website of the Saarbrücker Zeitung which also included the Pfälzischer Merkur, the online presence of the Aachener Zeitung and Aachener Nachrichten, the website of the Generalanzeiger Bonn, the Trierischer Volksfreund, and the Wuppertaler Rundschau. This broad scope demonstrates the reliance of these individual news organizations on the centralized IT infrastructure provided by Circ IT.

Following the attack, the affected websites became largely inaccessible for their primary purpose of delivering news. Instead of their normal content, the sites displayed only a brief message informing visitors of a general technical disturbance. This outage effectively halted the digital news publishing operations of these major regional newspapers. Some functionality, however, remained intact. The ePaper editions of the physical newspapers continued to be available for access, allowing subscribers to view the digital versions of the print publications. In some cases, the technical teams attempted to provide a reduced news overview on a subpage, though the main sites remained crippled.

The company confirmed the incident through a corporate spokesperson who provided initial details about the attack's impact. According to this official communication, the assessment at that time indicated that no user data had been accessed by the attackers. This preliminary finding suggested that the primary impact of the attack was operational disruption rather than a confirmed data breach. The financial impact, however, was immediate in the form of lost advertising revenue and potential subscription disruptions due to the inability to deliver digital news content through their primary web channels.

In response to the incident, the Rheinische Post Mediengruppe initiated several countermeasures. The company engaged external IT security experts to assist in managing the crisis and investigating the breach. Internal teams worked on resolving the technical disturbances and restoring service to the affected websites. The overarching goal of the response, as stated by the company, was to return to a secure and stable operational state. The focus was on containment, eradication, and recovery, with an emphasis on ensuring the security of the systems before bringing them back online.

The incident highlighted the vulnerabilities inherent in supply-chain relationships, particularly when a single service provider supports multiple entities within a larger organization. The attack on Circ IT, a non-media entity that provided critical technical infrastructure, had an immediate and cascading effect on the news dissemination capabilities of numerous publications. This demonstrates how a compromise at a single point within a supply chain can disrupt the operations of all dependent organizations. The duration of the outage and the full technical details of the attack vector were not immediately disclosed, but the event served as a significant disruption to regional news coverage in Germany for a period following the initial attack.