Updated at 9:40am Eastern
“We are experiencing technical problems and are working to resolve them.”
That was the short but succinct Tweet sent in the 8pm Eastern hour on Sunday evening by a dual CBS/FOX affiliated property licensed to South Bend, Ind.
Six hours earlier, a nearly identical Tweet was posted by the ABC affiliate serving Portland, Ore.
Those “technical difficulties” were seen at sibling television stations across the U.S., including a pioneer in broadcast television that was perhaps the first TV station to broadcast in color — WRGB-6 in Schenectady, N.Y.
On Monday morning, the stations’ leadership still wasn’t commenting. But, it submitted the facts in a SEC filing. Indeed, Sinclair Broadcast Group has become the latest media company to suffer a severe ransomware attack.
Providing the clearest picture, via social media and not on Channel 6, for viewers in New York’s Capital District was Heather Kovar, the Emmy award-winning weekend anchor for WRGB’s weekend morning newscasts.
At exactly 8:12am Eastern, Kovar took to Twitter to provide “a quick update” as to why the station’s local morning newscasts weren’t on the air, even as the teleprompters and cameras were ready to roll. “We’re still having technical difficulties, so as of right now we still haven’t been able to put on a newscast. Typically on Sunday mornings we’re live from 7am until nine but we’ve produced the show, we’re ready to go and … um … of course we are still not able to go online.”
For meteorologist Craig Gold, weather forecasts were being delivered on his personal Facebook page and that of WRGB, via Facebook Live.
What happened at WRGB-6, KATU-2 in Portland, Ore., WSBT-22 in South Bend, Ind., and other stations owned by Sinclair?
As first reported by cybersecurity reporter Catalin Cimpanu for The Record by Recorded Future, an online news publication focused on cybersecurity, Sinclair’s TV stations were disrupted across the U.S. after a “ransomware attack.”
A late Sunday email to Sinclair CEO Chris Ripley from RBR+TVBR‘s Editor-in-Chief was acknowledged; he did not comment on the situation impacting multiple Sinclair stations across Sunday.
However, by 9:30am Eastern, a SEC filing from Sinclair offered an official statement on “a recent cybersecurity incident” impacting the company.
Saturday (10/16), Sinclair “identified and began to investigate and take steps to contain a potential security incident.”
On Sunday, Sinclair positively identified that “certain servers and workstations” were encrypted with ransomware, and that certain office and operational networks were disrupted. Furthermore, data also was taken from the company’s network.
“The company is working to determine what information the data contained and will take other actions as appropriate based on its review,” Sinclair said in the formal statement. “Promptly upon detection of the security event, senior management was notified, and the company implemented its incident response plan, took measures to contain the incident, and launched an investigation.”
Furthermore, Sinclair says, legal counsel; a cybersecurity forensic firm; and other incident response professionals were engaged. The company also notified law enforcement and other governmental agencies. The forensic investigation remains ongoing.
While newscasts across Sunday were impacted, as was NFL football in one market, according to Twitter postings from viewers, it is the placement of advertising on Sinclair’s TV stations that could be the biggest headache for the company as it seeks to resolve its ransomware attack.
“While the company is focused on actively managing this security event, the event has caused – and may continue to cause – disruption to parts of the company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers,” Sinclair admitted. “The company is working diligently to restore operations quickly and securely.”
Sinclair concluded its formal statement by noting that it is in “the early stages of its investigation and assessment of the security event,” and as such cannot determine at this time whether or not such event will have a material impact on its business, operations or financial results.
“As the company conducts its investigation, it will look for opportunities to enhance its existing security measures,” Sinclair said.
According to The Record, the Sinclair internal corporate network, email servers, phone services, and the broadcasting systems of local TV stations were impacted.
WSYX-6 in Indianapolis saw weekend morning meteorologist Phil Kelly also turn to Twitter, noting, “It’s a corporate wide problem that our engineers are working hard to fix.”
Then, there was KOMO-4 in Seattle, the largest ABC affiliate in the Pacific Northwest after sibling KATU-2; and KVII-7 in Amarillo, Tex., which also went to Twitter to share with viewers their troubles.
As of 6:45am Pacific, KOMO’s morning newscasts were on the air, a RBR+TVBR correspondent in Seattle reports.
The Record notes the problem was severe. However, Sinclair master control was not impacted. This allowed Sinclair stations to replace local programming with nationally distributed programming — something Cox Media Group-owned TV stations were forced to do in June when that company suffered its own reported ransomware attack, a matter it still has not publicly addressed.
The Record adds that Sunday’s incident follows a company-wide password reset for IT resources shared by local stations conducted by Sinclair in July, following what it determined to be a “potentially serious network security issue.”
As of 9:40am Eastern, Sinclair shares (SBGI on the Nasdaq GlobalSelect market) were off 3.4% to $26.27 in light trading.