Mike Sneesby’s first day as Nine Entertainment’s chief executive was spent managing the biggest cyber-attack to hit an Australian media company, affecting TV programming and newspaper print production across the country.
The source of the suspected ransomware attack has not yet been identified and sources say the disruption could extend into the Easter long weekend.
Sneesby told staff late Monday that the cyber attack was “significant in scale with high potential to disrupt our business” and “a number of our core systems remain offline”.
Sneesby, the former CEO of streaming service Stan, had been learning the ropes from his predecessor, Hugh Marks, before beginning his first solo day on Monday in a near-empty building. Staff had been told to work from home due to the cyber-attack, which affected email systems and meant journalists had to rely on Slack to communicate.
Nine was hit by a cyber-attack on Sunday morning which knocked out the Weekend Today show and some news bulletins. TV news production normally done in Sydney had to be switched to Melbourne.
Nine’s Melbourne news director, Hugh Nailon, said he was forced to revert to whiteboards and textas to plan bulletins when the technical broadcast tools they usually relied on failed.
“Basically the Ferrari wouldn’t start and we had to fire up the Datsun 180B,” Nailon told Nine radio. “No emails, no internet. We had to take it back to TV in 1986 and do it manually.”
The editor-in-chief of the Australian Financial Review, Michael Stutchbury, said the outage had disrupted the production of the newspaper.
It had limited editors’ access to the print production system and they were unable to upload new photographs or create graphics to illustrate articles. Sources said Nine, which also publishes the Sydney Morning Herald and the Age, was forced to fill papers on Monday and also Tuesday with generic photographs.
“To minimise disruption for subscribers while we work to restore our systems, all of our articles have been made available to read without logging in,” Stutchbury said on Monday.
“However, some features are unavailable to subscribers who can’t log in. These include today’s paper, newsfeed, recently read, saved articles, markets data and company pages.”
Nailon said the news bulletins out of Brisbane, Adelaide and Perth also had to be produced as they would have been in the 1980s. An “army of support”, including technicians and producers, had flown into Melbourne to help out and the “place is absolutely humming”, he said.
“A good newsroom thrives on adversity,” Nailon told TV Tonight. “Today demonstrated that the Nine newsroom in Melbourne was able to take up the challenge and produce a bulletin for Sydney and Melbourne under as difficult circumstances as we’ve ever had.”
Nine management has not publicly commented since the director of people and culture, Vanessa Morley, said on Sunday that the attack had disrupted live broadcasts out of the network’s state-of-the-art office tower in Denison Street, North Sydney.
“Our IT teams are working around the clock to fully restore our systems, which have primarily affected our broadcast and corporate business units,” Morley said. “Publishing and radio systems continue to be operational. While our IT teams work through this issue, we ask that all employees, in all markets, work from home until further notice.”
Nailon said none of the computers were working so they used Notes on a mobile phone and a Word document to build a bulletin.
Forensic and recovery firms have been engaged and Nine now believes the attacker used Nine systems to send fraudulent updates to workers’ computers, the Herald has reported.
The media company has made contingency plans including flying producers to Melbourne and sending an NRL commentary panel to Newcastle to broadcast the football.
Monday’s flagship evening bulletin was interrupted when veteran Melbourne newsreader Peter Hitchener struggled to read the autocue and left the studio halfway through the broadcast.
But a Nine spokesperson blamed a migraine for the incident, rather than a technical issue related to the cyber-attack.
The chief information & technology officer, Damian Cronan, said it was a “significant, sophisticated and complex cyber-attack” but he is confident they have “isolated the attacker and the specific destructive activity that was initiated”.
“The consequence of this containment strategy is that our corporate network has been disconnected from the internet, and all internal networks separated from one another (e.g. Broadcast from Publishing, Sydney from Melbourne etc),” Cronan told staff late on Monday night.
“Looking ahead, now that we are in a state of containment, we are working on recovering the most critical aspects of service delivery (on-air and print operations, revenue-driven services, and other critical business services).”