USA Today owner Gannett hit by phishing attack

Gannett Co., the nation’s largest newspaper publisher, has been hit by a phishing attack that may have exposed the personal data of up to 18,000 current and former employees.

The company said hackers may have accessed employees’ personal data after several HR staff became victims of a phishing email. The breach was discovered on March 30, after Gannett’s in-house cybersecurity team discovered the attacker attempting to use a hijacked account to transfer corporate money.

The company, which owns USA Today and 109 local media properties, has warned that employees’ dates of birth, bank account information, Social Security numbers, salary, benefits, work history, and insurance information may have been compromised.

Gannett has reportedly notified law enforcement of the incident, and is now informing the affected employees of the attack by mail.

People are the weakest link

The hacker appears to have carried out the attack after compromising the Office 365 credentials of HR personnel, said Bob Noel, director of marketing and strategic relationships for Plixer International. “Once the hacker got control of actual employee email accounts, they were able to impersonate HR with what appeared to be a valid email to Gannett employees (although in actuality they were themselves phishing attacks).”

Noel added that hackers have become so proficient at phishing that they can trick even the savviest of tech users. This “proves people are the weakest link in the security chain,” and that educating staff on the dangers of phishing should be a “top priority” for all organizations.

“The lesson here is if you unexpectedly receive a digital request to provide personal information, […] you should pick up the phone and verify with the sender the legitimacy of the request.”

Educate your staff on phishing

The reason people are the weakest link when it comes to phishing is because the messages are specifically designed to trick them into believing they are legitimate. Tech solutions can prevent some phishing emails from reaching inboxes, but because the threat is constantly evolving, it can’t stop all of them.

Therefore, for businesses to remain safe, it’s crucial for their employees to be able to recognize a phishing email and how to respond when they receive one. That’s exactly what our Phishing Staff Awareness Course does. Full of practical tips and advice, the course teaches your staff how phishing works, how to identify a malicious email, and how to avoid falling victim.

Take a sneak peek at the course:

Find out more about our Phishing Staff Awareness course >>