DAVENPORT, Iowa — Lee Enterprises, the parent company of the Post-Dispatch, has disclosed that the personal information of nearly 40,000 people “may have been accessed or acquired†in a February cyberattack.
The hack hobbled the company’s newspapers for weeks and caused it to delay several debt payments.
The company sent an email to employees Wednesday saying it had completed its investigation into the Feb. 3 breach and that some employees may have had their personal information compromised.
It also began informing state regulators of the impact on consumers, who may have had their information stolen, and sending letters to people whose data was compromised.
Lee employs about 3,000 people at newspapers and other publications in 70 markets, according to securities filings, and says it has 1.1 million print and digital subscribers across the chain.
People are also reading…
Lee spokeswoman Tracy Rouch said that some customers’ data was compromised. She said the company was notifying everyone impacted via mailed letters and would provide free identity theft protection.
“We have taken significant steps to further enhance our security to help ensure that a similar situation does not occur again in the future,†Rouch said in a statement.
The breadth of the impact was first reported by British technology news service .
In a letter sent Tuesday to the Maine Attorney General, Lee said it discovered May 28 that personal information had been accessed and taken during the hack. The letter said 39,779 people were affected, though only a handful in Maine itself.
Lee said it had informed affected individuals in the state and was providing free credit monitoring services for a year to those people. The company also said it would send personal letters to those impacted.
The hack caused some of Lee’s newspapers to miss print publication for days. While the Post-Dispatch, Lee’s largest paper, was able to print every day, the breach disrupted operations for weeks. The company disclosed the breach to federal securities regulators on Feb 18, two weeks after the hack.
Qilin, a Russian-speaking ransomware gang, and threatened to release information stolen from Lee on March 5. Lee said at the time it was investigating, but Rouch said Wednesday Lee had not confirmed Qilin was behind the attack, and has not said whether it paid a ransom due to the breach.
Lee CEO Kevin Mowbray told investors last month the company incurred $2 million in “restoration costs†due to the cyber incident.
Lee has delayed interest payments to its sole lender, Berkshire Hathaway Finance, in March, April and May, freeing up over $10 million in capital to recover from the breach. Berkshire Hathaway Finance has allowed the delays and added the interest onto Lee’s roughly $450 million in debt, but in exchange it amended its agreement with Lee that could allow it to begin selling off some of the debt.
Lee’s stock was down 2% Wednesday, to $6.77. It has lost half its value since the hack, falling to a market capitalization of $42 million.
ÃÛÑ¿´«Ã½ looks to recover from a tornado the week of May 25, 2025. Edited by Jenna Jones.
