• by Ray Schultz , Columnist, 6 hours ago

Condé Nast is ending the year on a sour note. 

It was hacked, and more than 2.3 million user records from Wired were released, including name, email, address and phone, but no passwords, Ken Fisher, editor in chief of Arts Technica, reported in a post.  

Worse, the hacker named Lovely lectured the company on its data protection data practices. 

“Condé Nast does not care about the security of their users data,” it wrote. “It took us an entire month to convince them to fix the vulnerabilities on their websites. We will leak more of their users’ data (40 + million) over the next few weeks. Enjoy!”

Publishers, this could be expensive. The second release will contain data from the major publishing brands Vogue, The New Yorker and Vanity Fair,  Lovely warns. In addition to recovery costs, it almost certainly will lead to class action lawsuits by consumers who feel their privacy was violated. 

Ars Technica, a Condé Nast publication, has not affected because it has a separate tech stack, Fisher adds. But Fisher  seems riled up.  

But he writes that it is “unclear how altruistic the motive really was. DataBreaches.Net says that Lovely misled them into believing they were trying to help patch vulnerabilities, when in reality, it appeared that this hacker was a ‘cybercriminal’ looking for a payout. “

It also is not the only episode of its type. 

Newspaper publisher Lee Enterprises has paid $2 million in recovery costs stemming from a cyberattack it suffered last February. The breach, which exposed data on 39,779 individual, was perpetrated by the Qilin ransomware group.  

The company has also been sued by consumers and former employees who claim their data was exposed to cyber criminals.  

In June, Washington Post journalists were hit by a cyberattack that possibly originated with a foreign government.  

DataBreaches.Net concedes, “they played me. Condé Nast should never pay them a dime, and no one else should ever, as their word clearly cannot be trusted.” 

Publishers, assuming they have not already done so, need to engage cyber data experts who can plug up their operation from top to bottom and keep Lovely out.