The Philadelphia Inquirer’s operations continue to be disrupted by a cyber incident

The Philadelphia Inquirer and outside cybersecurity experts continued Sunday to scramble to restore systems after an apparent cyberattack disrupted operations over the weekend.

The Inquirer had been unable to print its regular Sunday newspaper, and it was not clear until late Sunday afternoon that it would be possible to print Monday’s editions of The Inquirer and Daily News newspapers. Online posting and updating of stories to Inquirer.com continued, though sometimes slower than normal.

It was unclear when systems would be fully restored, and Inquirer publisher Lisa Hughes said in response to emailed questions that “we are currently unable to provide an exact time line.” The incident was the greatest publication disruption to Pennsylvania’s largest news organization since the blizzard of Jan. 7-8, 1996, and it came just days before Tuesday’s mayoral primary election.

“We appreciate everyone’s patience and understanding as we work to fully restore systems and complete this investigation as soon as possible,” Hughes said in the emailed answers through a spokesperson. “We will keep our employees and readers informed as we learn more.”

Employees would not be allowed into The Inquirer’s offices through at least Tuesday because of the ongoing disruptions, Hughes said in an internal email update Sunday night. She said the company was “looking into coworking space for Tuesday,” meaning Inquirer journalists would be unable to use their newsroom on election night. However, Hughes said that the situation won’t affect coverage.

Hughes responded to some questions sent by email to a spokesperson but said the ongoing investigation prevented her from answering many detailed questions, including who was behind the incident or what motivations they had; whether they had successfully breached Inquirer systems; which systems were involved; whether The Inquirer or any employees appeared to be specifically targeted; and whether any confidential information of employees or subscribers was accessed. She vowed to “notify and support” anyone whose personal data may have been affected.

Hughes said the company had notified the FBI. A spokesperson for the FBI’s Philly office said it was aware of the incident and declined to comment as a matter of standard practice. She noted that “when the FBI learns about potential cyber attacks, it’s customary that we offer our assistance in these matters.”

The interruption of services raises questions about The Inquirer’s cybersecurity practices and infrastructure, and it comes as news organizations and other companies have seen growing online threats such as ransomware.

“In the context of hacking, what we used to say 10 years ago still applies: There are those who have been hacked and those who think they have not been hacked,” said David J. Hickton, the head of the University of Pittsburgh’s Institute for Cyber Law, Policy and Security.

It’s unclear when the apparent cyberattack began. Hughes said the news organization was “first alerted to the anomalous activity on Thursday, May 11, by Cynet, a vendor that manages our network security.”

That did not appear to lead to any immediate interruption of Inquirer publication, which continued normally Thursday and Friday.

But the weekend skeleton crew discovered Saturday morning that access to The Inquirer’s content-management system was down. In a statement later Saturday, Hughes said The Inquirer had “discovered anomalous activity on select computer systems and immediately took those systems off-line.”

Within a few hours, workarounds were in place to allow news articles to be posted to Inquirer.com.

There was no workaround for printing regular editions of the Sunday newspaper, so the early edition — which is composed Friday — was printed and distributed to subscribers. The regular edition appeared online in the digital replica known as the e-edition.

Hughes said Monday’s newspapers would be printed and delivered but that classified ads, including death notices, would be postponed from appearing in the print newspapers until Wednesday “out of an abundance of caution.”

She said there were no plans for any refunds because subscribers had received the early Sunday papers and electronic edition.

Cyberattacks have become a major threat to companies, and experts said news organizations can be particularly prized targets because of the nature of their work. Hackers may want to access reporters’ notes and files, for example, or to embarrass a news organization by leaking emails or Slack messages. Others may want to publish misinformation through real news organizations’ platforms or simply to wreak havoc in a highly visible way.

“Depending on who’s got access, and what kind of access they have and what they do with it, you can go a lot of different ways,” said Runa Sandvik, a computer security expert and researcher who specializes in digital security for journalists.

“But bottom line is that this is something that leadership does have to take into account and plan for and invest in,” she said. “It’s not something that you can just secure overnight, and it’s not something you can just clean up overnight, either.”

Sandvik and Hickton both noted the need for news organizations to follow best practices such as using “multifactor authentication,” which requires users to sign in by first providing a password and then responding to another prompt, such as responding to a text message or providing a temporary passcode. That standard means that even if an attacker obtains a user’s password, they still need more information before gaining access to company systems.

The Inquirer does not require multifactor authentication for many of its key systems.

The news organization has also been the target of what are known as “spear-phishing” campaigns, in which employees are sent fake emails or text messages that appear to be from a higher-up such as Hughes. Depending on the attack, victims might open a file that contains malicious software or be scammed into purchasing and giving away gift cards.

A particular threat to news organizations in recent years has been the rise of “ransomware,” a kind of malicious software that essentially locks a system up — holding it ransom — and demanding payment to free the system. A major ransomware attack affected the Los Angeles Times in 2018.

“And now it’s 2023, so it’s not like we don’t know about these types of attacks, and it’s not like we don’t know how they happen,” Sandvik said, calling for news organizations to harden their defenses to a well-established problem.

The Inquirer has invested in digital security in recent years, which Hughes said was driven by the need to work remotely because of the COVID pandemic. That includes adding monitoring software to company-owned equipment.

Hughes said The Inquirer conducts regular audits, with an outside vendor, Cynet, handling network security. Another firm, Kroll, was brought in to specifically respond to the incident and investigate it.

Asked whether the vulnerability exploited in the ongoing incident had been previously flagged in audits or testing, Hughes said it had not.