Incident Details
- Date of Incident
- February 3, 2025
- Targets
- Lee Enterprises
The St. Louis Post-Dispatch and 75 other Lee Enterprises newspapers were affected by a cyberattack on the Iowa-based news media company on Feb. 3, 2025. Banners on the news websites alerted readers of ongoing “maintenance on some services.”
Cybercrime group claims it’s behind Lee Enterprises attack
A ransomware gang took credit on Feb. 27, 2025, for a cyberattack that has for the last month disrupted operations at nearly 80 newspapers owned by Iowa-based Lee Enterprises, SecurityWeek reported.
The Feb. 3 cyberattack involved unauthorized access to critical applications and the withdrawal of files, disrupting the outlets’ ability to publish online or print publications, as well as subscribers’ access to their accounts.
As of March 4, affected newsrooms continued to display a banner atop their websites alerting readers to ongoing “maintenance” that may impact account access and the e-editions.
More than three weeks after the attack, Russia-linked ransomware group Qilin claimed responsibility for the attack and the theft of 350 GB of data in a post on its website. According to SecurityWeek, the announcement suggests that Lee refused to pay the ransom or that negotiations have stalled.
“All data will be published on March 5, 2025,” the post said. “The documents we hold about Lee Enterprises reveal details worth noting—investor records, financial arrangements that raise questions, payments to journalists and publishers, funding for tailored news stories, and approaches to obtaining insider information.”
In a statement shared with the U.S. Press Freedom Tracker, a spokesperson for Lee said, “We are aware of the claims and are currently investigating them.”
Lee systems accessed, files withdrawn in cyberattack
Newspaper publisher Lee Enterprises alerted the Securities and Exchange Commission on Feb. 18, 2025, that an earlier cyberattack on the media company involved unauthorized access to critical applications and the withdrawal of files.
At least 79 Lee newspapers experienced disruptions to their online or print publications as a result of the Feb. 3 cyberattack. Some papers also reported that subscribers were unable to access their accounts or that their newsroom phone systems were disabled.
Most of the newspapers continued to have banners on their websites advising subscribers of “maintenance on some services, which may temporarily affect access to subscription accounts and the e-edition.”
According to the SEC filing — dated Feb. 14 but filed days later — unidentified actors “unlawfully accessed the Company’s network, encrypted critical applications, and exfiltrated certain files.
“The incident impacted the Company’s operations, including distribution of products, billing, collections, and vendor payments. Distribution of print publications across our portfolio of products experienced delays, and online operations were partially limited,” the filing said. “As of February 12, 2025, all core products are being distributed in the normal cadence, however weekly and ancillary products have not been restored.”
Lee added that it expects to restore remaining products in phases over the coming weeks and is still actively conducting a forensic analysis to determine whether sensitive data or personally identifiable information was compromised. The agency has alerted law enforcement and said it will notify relevant federal and state regulatory bodies, and applicable consumer protection agencies, as needed.
Dozens of newspapers owned by Iowa-based news media company Lee Enterprises were affected by a cyberattack starting on Feb. 3, 2025, disrupting the publication of print and e-editions.
The St. Louis Post-Dispatch — one of Lee Enterprises’ more than 400 daily, weekly and specialty newspapers across 24 states — reported that the media conglomerate had experienced a “cybersecurity event.” The company alerted its newspapers that it had been working with third-party specialists to investigate the disruption and restore the systems.
“We are now focused on determining what information — if any — may have been affected by the situation,” Lee Enterprises CEO Kevin Mowbray wrote. “We are working to complete this investigation as quickly and thoroughly as possible, but these types of investigations are complex and time-consuming, with many taking several weeks or longer to complete.”
According to the Post-Dispatch, the targeting of the company’s computers prevented many newspapers from building pages and publishing print editions. The Winston-Salem Journal in North Carolina reported that some subscribers could not access their accounts.
At least 79 newspapers reported disruptions to their operations. Many published delayed or smaller editions while others were unable to publish entirely.
The Sentinel in Carlisle, Pennsylvania, reported that the cyberattack affected phone lines and internet at its office, forcing staff to work remotely. Carrier Sidener, executive editor of The News & Advance in Lynchburg, Virginia, wrote on Feb. 9 that the attack also disabled her newsroom’s phone system.
As of Feb. 12, Lee newspapers continued to have banners on their websites that read: “We are currently undergoing maintenance on some services, which may temporarily affect access to subscription accounts and the e-edition. We apologize for any inconvenience and appreciate your patience as we work to resolve the issues.”
According to the Winston-Salem Journal, CEO Mowbray told the newspapers that the company is working to find ways to prevent something similar from happening again but did not say when the issues would be resolved.
Mowbray also thanked employees “for your above-and-beyond efforts to continue reporting the news and maintaining our operations under challenging circumstances.”
The full list of outlets confirmed to have been affected, listed alphabetically by state:
- Arizona — The Arizona Daily Star
- Illinois — Herald & Review, Journal Gazette & Times-Courier, The Pantagraph, Woodford County Journal
- Iowa — Bulletin-Review, The Daily Nonpareil, The Dispatch & The Rock Island Argus, Globe Gazette, Quad-City Times, Sioux City Journal, Southwest Iowa Herald, The Courier
- Minnesota — Winona Daily News
- Missouri — The St. Louis Post-Dispatch
- Montana — Billings Gazette, Independent Record, Missoulian, Montana Standard, Ravalli Republic
- Nebraska — The Banner-Press, Beatrice Daily Sun, The Columbus Telegram, Fremont Tribune, The Grand Island Independent, Lexington Clipper-Herald, Lincoln Journal Star, The North Platte Telegraph, Omaha World-Herald, Schuyler Sun, Star-Herald
- Nevada — Elko Daily Free Press
- New Jersey — The Press of Atlantic City
- New York — The Buffalo News, The Citizen, The Post-Star
- North Carolina — Hickory Daily Record, The McDowell News, News & Record, The News Herald, Statesville Record and Landmark, Winston-Salem Journal
- North Dakota — The Bismarck Tribune, The Morton County and Mandan News
- Oklahoma — Tulsa World
- Pennsylvania — The Sentinel
- Oregon — Albany Democrat-Herald, Corvallis Gazette-Times
- South Carolina — The Morning News, The Times and Democrat
- South Dakota — The Chadron Record, Rapid City Journal
- Texas — The Eagle, Waco Tribune-Herald
- Virginia — Amherst New Era-Progress, Bristol Herald Courier, Culpeper Star-Exponent, The Daily Progress, Danville Register & Bee, The Free Lance-Star, Madison County Eagle, Martinsville Bulletin, Nelson County Times, The News & Advance, The News Virginian, Orange County Review, Richmond Times-Dispatch, The Roanoke Times, Rural Virginian
- Washington — The Daily News
- Wisconsin — Baraboo News Republic, The Chippewa Herald, Daily Citizen, The Journal Times, Juneau County Star-Times, Kenosha News, La Crosse Tribune, Wisconsin State Journal
- Wyoming — Casper Star-Tribune
Editor’s Note: This article has been updated to include the names of additional news outlets that were confirmed to have been affected by the cyberattack.
The U.S. Press Freedom Tracker catalogues press freedom violations in the United States. Email tips to [email protected].
