As has been reported in the past by a number of other organizations, the massive conglomerate News Corp. suffered a breach in February 2020. This breach was attributed to Chinese aligned threat actors by cybersecurity investigators at Mandiant, according to reports at the time. Despite a paucity of details in their initial SEC filings, a more recent memo sent to impacted employees sheds significantly more light on the breach

“On January 20, 2022, News Corp discovered cyberattack activity on a business email and document storage system used by several News Corp businesses. As soon as we became aware of the activity, we notified U.S. law enforcement and launched an investigation with the assistance of a leading cybersecurity firm. Based on the investigation, News Corp understands that, between February 2020 and January 2022, an unauthorized party gained access to certain business documents and emails from a limited number of its personnel’s accounts in the affected system, some of which contained personal information. Our investigation indicates that this activity does not appear to be focused on exploiting personal information. We are not aware of reports of identity theft or fraud in connection with this issue...“

Analysis of the February 4th dated SEC filings reveals that News Corp. had a significant amount of information about the breaches. They clearly state that “The Company’s preliminary analysis indicates that foreign government involvement may be associated with this activity, and that data was taken.“ but News Corp. fails to directly detail the kind of data compromised. However, they demonstrate clear knowledge of the type of data that was not compromised. “To the Company’s knowledge, its systems housing customer and financial data were not affected.” Having the confidence to state that to a regulatory agency, implies a certain level of knowledge about the type and scope of the breach in question.

Despite that confidence on February 4th of ‘22, employees were not warned that their Personally Identifiable Information (PII) was compromised until the memo dated February 22, of 2023. They ominously informed their impacted employees, “We are writing to notify you of an issue that involves certain personal information of yours.” That opening is eventually followed by the statement “We nonetheless are providing you notice of this issue because the investigation has determined that some of your personal information was contained in the relevant materials.”

It is not until later in the memo that the type of disclosure is quantified, “The affected personal information may have included one or more of the following: your name, date of birth,Social Security number, driver’s license number, passport number, financial account information, medical information, and health insurance information.” Employees are then reassured that, “Not all of this information was impacted for each affected individual.” 

The SEC disclosures reveal a great deal of analytic effort revolving around the mandatory reporting to investors and regulators, the safety and security of business operations, and customer personal and financial data. The less-than-concerned memo, combined with the year-long delay between the SEC filing and the employee memo raise serious questions about the level of commitment that News Corp. has to the safety and security of their employees data, as well as their commitment to breach disclosure regulations.

According to the National Conference of State Legislatures, “All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have security breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached.” While 33 states have no timeframe for reporting cybersecurity breaches, the remaining 17 states require individual reporting between 30 and 60 days, depending on the state. Even more concerning is the fact that the  Department of Health and Human Services has a 60 day window for individual notification of breach. Considering that health insurance information is, by their own admission, a part of the exposed information, it would seem that News Corp. falls squarely afoul of those requirements as well.

With the Biden administration gearing up to unveil a new national cybersecurity strategy, it will be interesting to see how situations like this one drive adoption of the administration’s goals to reform the market’s relationship with cybersecurity responsibilities. In the administration’s own words, their goal is to, “Shape Market Forces to Drive Security and Resilience – We will place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable in order to make our digital ecosystem more trustworthy, including by: ...Promoting privacy and the security of personal data;”

In the end, we are left with two major unanswered questions for News Corp:

“When did you become aware that employee PII had been compromised?”

“What event(s) caused this disclosure memo to be sent now?”