Skip to main content

UK media giant The Guardian has confirmed that it suffered a ransomware attack in December that exposed the personal data of UK staff members and has forced the company to close its London office until at least early February.

The Guardian Media Group’s chief executive, Anna Bateson, and The Guardian’s editor-in-chief, Katharine Viner, confirmed the news in an update emailed to staff on Wednesday afternoon. The pair described the attack, which took place on December 20, 2022, as “highly sophisticated,” involving unauthorised third-party access to parts of the company’s network, most likely triggered by a phishing attempt in which a victim was tricked into downloading malware.

The news came on the same day that the UK’s Royal Mail suffered “severe disruption” following an unspecific cyber incident and a few months after an attack on a major IT provider of the UK’s National Health Service (NHS) was confirmed as ransomware. It also follows recent data from cybersecurity services company JUMPSEC, which showed that ransomware attacks have been a persistent threat to UK organisations since early 2020.

Data of readers and subscribers unaffected

According to The Guardian, the personal data of readers and subscribers remains safe and has not been accessed, whilst it is also believed that the personal data of Guardian US and Guardian Australia staff is unaffected.

The UK’s data watchdog the Information Commissioner’s Office (ICO) and UK police have been informed of the attack. The message to staff claimed there is no evidence of data being exposed online, so the risk of fraud is considered to be low.

“We believe this was a criminal ransomware attack and not the specific targeting of The Guardian as a media organisation. These attacks have become more frequent and sophisticated in the past three years, against organisations of all sizes, and kinds, in all countries,” Bateson and Viner added.

The firm has been using external experts to gauge the extent of the attack and to recover its systems, estimating that some critical systems will be restored within the next two weeks. However, a return to office working has been postponed until early February to allow IT staff to focus on network and system restoration. There was no mention in the statement of whether the attackers have made ransom demands or if the company is negotiating with them.

“Beyond the ransomware attack, the fact that so much personal information of staff was leaked could have huge impact and so staff need to remain vigilant, particularly if they receive unsolicited or unexpected emails, links, and social media messages,” Javvad Malik, Lead Security Awareness Advocate at KnowBe4, tells CSO. “The problem with so much information being available is that criminals can use the information to craft very convincing social engineering attacks. While some data may seem to be of little value, in the hands of criminals, it can be exploited.”

Ransomware attacks continue to plague UK businesses

According to JUMPSEC research, the UK’s share of global activity has been consistent since 2020 at 5% of total global ransomware activity (shifting 0.1% over a year), with the UK representing 314 from a global total of 5,869 ransomware cases. The most prevalent ransomware group in the UK since the current ransomware wave began in 2020 has been Conti, closely followed by LockBit, JUMPSEC added.

Data suggested that education, retail and wholesale trade, and law are the most targeted industries in the UK, whilst 86% of UK ransomware attacks go completely unreported in typical media sources. Of the remaining 14% of reported cases, many organisations only admit a breach has occurred after being outed by attackers online, or do not report the attack directly via their own website, JUMPSEC stated.


All rights reserved Jenson Knight.