Cyber Incident Victim: Neue Zürcher Zeitung

On March 24, 2023, the Neue Zürcher Zeitung (NZZ) organization experienced a ransomware cyberattack attributed to the group known as "Play," despite existing comprehensive IT security measures. The attack compromised some internal systems and services, with immediate operational disruptions affecting NZZ and third-party entities relying on its infrastructure. CH Media, a separate organization utilizing NZZ’s IT services, confirmed direct operational impacts due to the shared infrastructure compromise. NZZ’s IT team detected the intrusion early, isolated affected systems to limit propagation, and initiated an investigation with external cybersecurity specialists and Swiss authorities, including the National Cyber Security Centre (NCSC) and Zürich Cantonal Police (KAPO). While critical customer-facing systems—including nzz.ch and the NZZ app—remained fully functional, internal operational systems experienced temporary outages.

The attackers exfiltrated approximately 500 gigabytes of data, which included employee information and potentially customer data. On March 31, Play released portions of the stolen data on the darknet, as threatened. Initial analysis verified the presence of NZZ employee records, though customer data exposure remained unconfirmed. Subsequent forensic investigations, completed by July 13, 2023, confirmed former employee data was also compromised and published. NZZ explicitly denied paying any ransom, citing ethical opposition to funding criminal activity and adherence to law enforcement advisories. The organization implemented additional security hardening measures post-incident and maintained continuous collaboration with authorities to analyze the stolen data’s full scope. Affected individuals, including former staff, were directed to contact NZZ’s data protection team via dedicated channels for further details. No additional disruptions to media production or digital services occurred beyond the initial attack phase.