- Sinclair Broadcast Group lost tens of millions of dollars in an October ransomware attack that disrupted its news broadcasts and other programming, the company said in its year-end filing with the Securities and Exchange Commission. It did not pay the ransom demand, Sinclair said.
- The company lost $63 million in advertising revenue in the fourth quarter when the attack hampered its broadcasts. Sinclair paid an additional $11 million in costs and expenses related to mitigation, the investigation of the incident and security improvements, according to the filing.
- The costs exceeded the company's insurance coverage. The firm recorded $24 million in unrecoverable net losses related to the attack as of the March 1 filing of the 10-K.
The attack, discovered on Oct. 16, was one of the most high profile cybersecurity incidents of 2021, in part due to the visual disruption it created at the company. The attack led to the encryption of an undisclosed number of servers and workstations and also disrupted normal operations of a number of local broadcasts.
Sinclair owns, operates or provides services to 185 stations in 86 television markets and also owns 21 regional sports brands. A spokesperson for the company did not immediately return requests for comment.
The impact of the attack was so extensive that Sinclair was still working to restore full operations in November, when it reported third quarter earnings. The company was eventually able to regain control over its systems.
"Although we were able to restore our network from backups, there were disruptions to part of our businesses following the incident, including certain aspects of providing local advertisements by our local broadcast stations on behalf of our customers," Chris Ripley, president and CEO at Sinclair, said during the company fourth-quarter earnings call.
Researchers from Recorded Future in October linked the attack to Evil Corp., a ransomware group sanctioned by the U.S. Treasury Department. The threat actor used the Macaw malware variant to gain access to the network, a spokesperson for Recorded future confirmed.
Researchers linked a separate attack by Evil Corp. against optical products manufacturer Olympus, using the same malware variant.
The group, linked to Russia, has changed its techniques and branding repeatedly over the years to evade detention and sanctions that create legal roadblocks to its ability to receive ransom demands, according to researchers from SentinelOne.
The FBI confirmed last year it was aware of the attack on Sinclair, but did not provide any details about what took place.
Sinclair instituted a number of measures to improve its cybersecurity posture and is building out its cyber governance.
The broadcast group hired John McClure as its first chief information security officer in July 2021, months before the attack. Following the incident, the Sinclair board of directors created a cybersecurity subcommittee, which receives regular updates from management and has made several other changes to boost security policies and training.
The company also instituted a program to evaluate the security of vendors, boosted internal security training, implemented metrics to help measure the effectiveness of its security programs and strengthened policies related to security incidents, according to the filing.
The changes are part of a larger corporate governance trend at U.S. companies, which have been under pressure from regulators, insurers and major investors, to develop a higher level of accountability for security customer data and preventing malicious attacks.
"At a high level, the board is ultimately responsible for oversight of security," Claude Mandy, senior research director at Gartner, said via email. "This requires an understanding of the company's cyber risks, current performance and practice, [and] resilience to enable the board to fulfill its duties in assessing the adequacy of these measures."
Following the incident, Sinclair implemented an endpoint detection and response tool and engaged an additional cybersecurity firm to provide continuous monitoring of its network, according to the filing.
The company plans to make additional investments in cybersecurity, according to the filing. Sinclair is also working on a data protection initiative set for deployment later this year. The company said it could incur additional expenses related to incident response and said the estimated net loss does not account for any potential litigation or regulatory proceedings.