Hackers access Guardian staff salary, passport information

Hackers accessed passport, bank, and salary information of staff at The Guardian as part of a sophisticated cyberattack that has hobbled the newspaper’s operations for nearly a month.

In a lengthy internal email to Guardian staff on Wednesday, chief executive Anna Bateson and editor-in-chief Katharine Viner said that the initial results of an investigation into a hack last month found that some files containing the personal data of UK staff were accessed as part of the attack. The data included names, addresses, bank account information, salaries, and passport documents of Guardian reporters.

“We realise this news may be very worrying for everyone, and we want to say how sorry we are for any anxiety this may now cause,” the paper said. “But now that we have confirmed there is a risk, we will do everything we can to support staff.”

The paper’s leadership also disclosed more information about the origin of the hack, which it said was a result of a phishing attack. The investigation concluded that the intrusion was “a criminal ransomware attack, and not the specific targeting of the Guardian as a media organisation.”

The company noted that  the incident had been reported to UK law enforcement, but that there appeared to be “no evidence that any data has been exposed online thus far.” The executives said  they did not believe any reader or subscriber data was hacked or that data for the Guardian US and Australia staff had been accessed.

While the Guardian has kept much of its digital and print production flowing despite the attack, the intrusion has continued to hinder some basic operations within the company. Employee expenses have been delayed, and even some elements of print production, including formatting columnist author photos, have been disrupted. Wednesday’s memo said that the paper’s offices will continue to be closed through February, over a month since they were shuttered following the attack.

Semafor spoke with several Guardian staff on Wednesday who were extremely alarmed by the realization that hackers had access to much of their sensitive personal information.

“Jesus fucking christ!!” one staffer said.

Another staffer pointed out that while Wednesday’s memo included a list of suggestions for better information security, the Guardian’s own systems made them difficult to follow. The Guardian staffer noted that while the company suggested regularly changing passwords, many staff had not altered their passwords in several years becauset hey are required  to file a special request to the company’s IT department in order to alter login information.