Buffalo, N.Y. (WBEN) - The parent company of The Buffalo News discloses 40,000 people were affected by February's cyberattack. Lee Enterprises says names and social security numbers were compromised.
Lee Enterprises says the data breach included first and last names, as well as Social Security numbers, and is notifying them by mail. Lee said last month it spent $2 million to restore its operations following the cyberattack. The incident affected the company's advertising revenue during the quarter that ran through March because of limitations on the size of many of Lee's newspapers.
Cybersecurity expert Arun Vishwanath suspects there may be more than the 40,000 disclosed.
"This was a Russian ransomware attack. They stole about 350 gigabytes of data," said Vishwanath in an interview with WBEN.
Vishwanath says he's not impressed with Lee's handling of the breach.
"It's about four months into it, which is particularly alarming. So the breach itself, assuming more than likely happened because of a human element, because of a failure of cyber hygiene, because somebody clicked on a phishing link, or had a weak password, or what have you, within Lee Enterprises. But the breach notification was also handed by human beings in a very untimely manner," he explained. "They took all the time they could before telling us, who knows what has already happened since? Who knows what's happened with that compromised data? Have other people already gotten compromised?"
Vishwanath says companies you do business with will not protect your data.
"You need to freeze your credit with all the three credit agencies, you need to use a password manager. You need to use two-factor authentication. If you a customer of the waffling news in particular, be suspicious of emails that are coming to you," Vishwanath advised.
He compares a company offering a year of credit monitoring to handing out an umbrella after the flood.
Here in Buffalo, the News was reduced from three sections to two for several weeks after the cyberattack.