(Image source: Proimos, 2011)
One-sentence summary:
News Corp was likely breached by a Chinese-linked APT for almost two years since 2020, involving Chinese intelligence and sensitive data.
Who was involved?
Potentially Chinese-sponsored threat actor, News Corp, News Corp employees, Mandiant (Google Cloud), and potentially random targets.
What was the timeline?
February 2020: News Corp is breached by the threat actor (News Corp, 2023, p. 1).
January 20, 2022: Breach is discovered by News Corp.
February 04, 2022: News Corp goes public with the breach for the first time in their SEC Form 10-Q (News Corp, 2022a) (News Corp, 2022b).
February 05, 2022: News Corp tells the press the incident is “contained” after media attention from the 10-Q.
February 22, 2023: News Corp begins notifying specific parties of the breach (News Corp, 2023).
What occurred?
News Corp (parent of Dow Jones, Foxtel, HarperCollins, News UK, The Australian, The Daily Telegraph, Herald Sun, New York Post, The Wall Street Journal, realtor.com) discovered a breach of their “business email and document storage system used by several News Corp businesses” in January 2022 (News Corp, 2023, p. 1). News Corp quickly involved Mandiant in their incident response (McLaughlin, 2022, para. 3). China was attributed to the breach early in the investigation (McLaughlin, 2022, para. 5). News Corp began quickly disseminating CTI with the Media ISAO (Information Sharing and Analysis Organization) while also publicly confirming containment (McLaughlin, 2022, paras. 14-15). The threat actors allegedly sought documents for only China’s political interest (Marks & Schaffer, 2022, para. 4). Victim’s/employee’s data breached potentially included: “your name, date of birth, Social Security number, driver’s license number, passport number, financial account information, medical information, and health insurance information” (News Corp, 2023, p. 1).
Estimated costs:
Mandiant incident response and breach notification costs.
Involved laws:
Federal: HIPAA, Securities and Exchange Act of 1934
State: Massachusetts: 201 CMR 17.00 and M.G.L.A. 93H § 1 (potentially other states involved).
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Sources:
Marks, J., & Schaffer, A. (2022, February 7). The News Corp breach illustrates how badly China wants to hack the U.S. The Washington Post. Retrieved February 27, 2023, from https://www.washingtonpost.com/politics/2022/02/07/news-corp-breach-illustrates-how-badly-china-wants-hack-us/
McLaughlin, J. (2022, February 4). Hackers tied to China are suspected of spying on News Corp. journalists. npr.org. Retrieved February 27, 2023, from https://www.npr.org/2022/02/04/1078259252/news-corp-china-hacking-cyberattack
News Corp. (2022a). FORM 10-Q. In investors.newscorp.com (No. 001–35769). United States Securities and Exchange Commission. Retrieved February 27, 2023, from https://investors.newscorp.com/static-files/bfac7437-a73a-4e2b-b4fa-d294b1088a48
News Corp. (2022b, February 4). SEC Filings. investors.newscorp.com. Retrieved February 27, 2023, from https://investors.newscorp.com/sec-filings?field_nir_sec_date_filed_value=2022&mobile=1&items_per_page=10&order=field_nir_sec_date_filed&sort=asc&page=3
News Corp. (2023). NOTICE OF DATA BREACH. In Commonwealth of Massachusetts (No. B086387). Retrieved February 27, 2023, from https://www.mass.gov/doc/assigned-data-breach-number-29073-news-corporation/download
Proimos, A. (2011, July 5). News Corporation Headquarters. Wikimedia Commons. https://commons.wikimedia.org/wiki/File:News_Corporation_Headquarters_%285903813640%29.jpg