The attack was most likely caused by a “phishing” prompt, Ms Bateson and Ms Viner said, in which a victim is tricked into downloading malicious software, often through email.
It was discovered on December 20 and affected a wide range of infrastructure – from printing to the tills in the UK office’s canteen.
Staff have been working from home since then, and a return to the office has now been delayed – for a third time — until February. A global video call is scheduled for Friday at 6pm Sydney time to discuss the attack. Staff are working from home as Wi-Fi, printers and the network have been disabled in the office while the investigation takes place.
“We believe this was a criminal ransomware attack, and not the specific targeting of The Guardian as a media organisation,” Ms Bateson and Ms Viner wrote.
“There is the potential for these types of data to be combined and used for identity fraud. But as we have said above, we have seen no evidence that personal data has been exposed online, and so the risk is low … we realise this news may be very worrying for everyone, and we want to say how sorry we are for any anxiety this may now cause.”
The pair said it was not currently believed that the personal data of Guardian US and Guardian Australia staff has been accessed in the attack, and added that there was no reason why the personal data of readers, supporters or subscribers – its list of donors – had been accessed.
One insider at Guardian Australia said staff expressed their concerns on an all-staff video call on Thursday morning.
“We’re all a bit concerned about our own data, because initially they said no staff data was compromised, now we learn UK staff have had their data compromised,” the source said. “It’s reminiscent of Medibank – getting worse each day.”
A spokeswoman for Guardian Australia said the investigation was ongoing.
“The Guardian has been in contact with the relevant Australian regulators, though based on current investigations, there are no mandatory notifications required in Australia,” she said.
The Office of the Australian Information Commissioner said it couldn’t comment on whether it had been notified by The Guardian.
Cyberattacks are becoming increasingly common. Optus and Medibank were hit by major breaches over the past few months, while Nine, the publisher of The Australian Financial Review, was hit with a ransomware attack in March 2021.