ÃÛÑ¿´«Ã½

DAVENPORT, Iowa — Hackers on Feb. 3 attacked the Post-Dispatch’s parent company, Lee Enterprises, encrypting “critical applications� and stealing data, the company disclosed in a securities filing Tuesday.

It was the most information Lee has publicly released since the cyberattack hobbled the publisher of newspapers in more than 70 markets nationwide, including ÃÛÑ¿´«Ã½, Omaha and Buffalo.

In the wake of the attack, newspapers in many markets initially were unable to print and distribute. The company’s larger properties, including the Post-Dispatch, did not miss any print days, though they have published smaller editions and omitted some features over the past two weeks. The Post-Dispatch newsroom and other Lee sites have continued to publish news uninterrupted on their websites and mobile apps.

The company’s investigation into the attack found “threat actors� illegally accessed Lee’s network and “encrypted critical applications and exfiltrated certain files.� In its filing with the U.S. Securities and Exchange Commission, Lee said it is analyzing whether sensitive data or personally identifiable information was compromised. The filing did not specify whether that data included customer payment information. The company has notified law enforcement about the attack.

The attack hurt not only print operations but also billing, collections and vendor payments.

As of Feb. 12, Lee said in its SEC filing, its “core products� were again being distributed. But its weekly and other publications — Lee publishes dozens of those, representing about 5% of its operating revenue — have not yet been restored. The company said it anticipated a “phased recovery over the next several weeks� for those products.

Temporary measures, including manual transaction processing and “alternative distribution channels,� are being used to maintain critical functions, the filing said. Also, the company on Friday implemented a major systems update for “enhanced security practices,� according to an email shared with staff.

The company said it was still evaluating the financial impact of the attack but that it was likely to be “material.�

implemented in 2023 require companies to disclose in a filing any cybersecurity breach within four business days of it being deemed “material� — defined as information an investor would consider important due to the impact on a company’s finances, operations or market capitalization.

Lee executives did not mention the incident in a Feb. 7 earnings release and call with investors, where it was reporting a drop in operating revenue for the quarter. It did include a mention of the breach in its formal earnings filing with the SEC, though it referred to it as “a technology outage due to a cyber incident affecting certain business applications, resulting in an operational disruption.�

“As of the date of this filing,� Lee wrote in the Feb. 7 filing, “the Company has not identified any impact that is material; however, the evaluation remains ongoing.�