philadelphia inquirer cuba ransomware

The Philadelphia Inquirer yesterday notified 25,549 people of a data breach that compromised their personal and financial information.

The breach took place in May 2023. In an update posted April 26, 2024, Inquirer CEO Lisa Hughes stated that Social Security numbers, driver’s license numbers, financial account information, and medical information might have been accessed.

Ransomware group Cuba claimed the attack at the time, saying it stole “financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, source code.” The group posted a proof pack containing a sample of the allegedly stolen files on its leak site, but later took it down. The Inquirer has not confirmed Cuba’s claims.

The victims include subscribers, employees, former employees, and employee’s family members on benefit plans. Although the Inquirer has stated that there’s no evidence that the stolen information has been misused, we still recommend victims assume the worst and take steps to protect their identity and finances. The Inquirer is offering free credit monitoring services to victims through Experian.

The Inquirer says it took systems offline “days after the incident” and couldn’t print its normal Sunday newspaper as a result.

It took nearly a year to notify victims of the breach. The timeline of the breach disclosure isn’t entirely clear. The Inquirer has said it responded to the attack days after it happened, but the notification submitted to Maine’s Attorney General says the breach wasn’t discovered until February 8, 2024.

The Inquirer has not stated whether it paid a ransom or how attackers breached its systems. Comparitech contacted the Inquirer for comment and will update this article if it responds.

Who is Cuba?

Ransomware gang Cuba first emerged in 2019 under the name “Tropical Scorpius”. Its targets span North America and Europe, and include oil companies, financial services, government agencies, and healthcare providers.

Cuba has been confirmed as the culprit behind 13 ransomware attacks since its most recent name change (it has changed names on at least three occasions). Five of those attacks took place in 2023, according to our data.

Cuba’s initial access vectors include phishing and exploiting software vulnerabilities, including remote desktop connections (RDP).

Cuba often extorts victims twice: once for a decryption key to restore attacked systems, and a second time in exchange for not selling or publicly releasing stolen data.

About the Philadelphia Inquirer

The Philadelphia Inquirer is a daily newspaper founded in 1829 based in Philadelphia, Pennsylvania. It’s the largest circulation newspaper in the state, and the 17th-largest in the USA. It has a circulation of more than 60,000 people, according to external sources.