Guardian Australia staff details compromised in cyber attack

Personal information including addresses and salary information on 140 current and former Australian staff of multinational media outlet The Guardian may have been accessed by hackers in the crippling cyberattack that hit the company late last year.

Its local leaders had told employees in a mid-January internal email that “we don’t currently believe there is a risk to Australian staff” but cautioned that its technical teams were continuing to investigate the breach.

On Thursday The Guardian’s Australian managing director Dan Stinton and editor Lenore Taylor emailed local staff to say 140 people employed between February 2017 and May 2019 had their details affected. Tax file numbers, bank account details, superannuation information, salaries and addresses were among the staff details potentially compromised.

Stinton and Taylor told staff in an email seen by this masthead that key Guardian servers were corrupted in the hack, preventing access to information that showed what the hackers had accessed until they were rebuilt.

“Our Australia and London teams have been working urgently to enable us to understand whether and which documents and personal data might have been accessed,” Stinton and Taylor wrote.

It is common in cyberbreaches for companies not to be able to determine if hackers gained access to, actually opened, or stole particular pieces of data.

A spokeswoman for the publication said extensive investigations had uncovered that the personal data of the 140 staff had been affected and added that the Office of the Australian Information Commissioner, which reviews data breaches, had been notified of the issue.

“A credit monitoring service is in place for all Guardian Australia staff, even though we have seen no evidence that personal data has been exposed online,” the spokeswoman said. “We continue to monitor for this.”

One Guardian staff member, who spoke on condition of anonymity, said workers at the company were concerned even if they had not been told they were among those affected. “Initially they didn’t think anyone had personal data compromised,” the person said.

Personal information including addresses and salary information on 140 current and former Australian staff of multinational media outlet The Guardian may have been accessed by hackers in the crippling cyberattack that hit the company late last year.

Its local leaders had told employees in a mid-January internal email that “we don’t currently believe there is a risk to Australian staff” but cautioned that its technical teams were continuing to investigate the breach.

On Thursday The Guardian’s Australian managing director Dan Stinton and editor Lenore Taylor emailed local staff to say 140 people employed between February 2017 and May 2019 had their details affected. Tax file numbers, bank account details, superannuation information, salaries and addresses were among the staff details potentially compromised.

Stinton and Taylor told staff in an email seen by this masthead that key Guardian servers were corrupted in the hack, preventing access to information that showed what the hackers had accessed until they were rebuilt.

“Our Australia and London teams have been working urgently to enable us to understand whether and which documents and personal data might have been accessed,” Stinton and Taylor wrote.

It is common in cyberbreaches for companies not to be able to determine if hackers gained access to, actually opened, or stole particular pieces of data.

A spokeswoman for the publication said extensive investigations had uncovered that the personal data of the 140 staff had been affected and added that the Office of the Australian Information Commissioner, which reviews data breaches, had been notified of the issue.

“A credit monitoring service is in place for all Guardian Australia staff, even though we have seen no evidence that personal data has been exposed online,” the spokeswoman said. “We continue to monitor for this.”

One Guardian staff member, who spoke on condition of anonymity, said workers at the company were concerned even if they had not been told they were among those affected. “Initially they didn’t think anyone had personal data compromised,” the person said.