Media conglomerate News Corp has disclosed that attackers behind a data breach revealed in February 2022 had access to parts of its internal systems for two years.

The initial attack was first detected in January last year, affecting News Corp. publications and business units, including The Wall Street Journal and its parent company Dow Jones, the New York Post, News U.K. and News Corp. headquarters. News Corp. said at the time that it believed a foreign country was involved in the attack and that some data had been stolen.

One year later, News Corp. sent out breach notifications to those affected by the hack providing further details. The Feb. 22 letter, first spotted by Bleeping Computer Friday, revealed that the attacker had gained access to a business email and document storage system used by the company. But the surprising part is when the attackers gained access.

“As soon as we became aware of the activity, we notified U.S. law enforcement and launched an investigation with the assistance of a leading cybersecurity firm,” the letter reads. “Based on the investigation, News Corp. understands that, between February 2020 and January 2022, an unauthorized party gained access to certain business documents and emails.”

Some of the documents accessed are said to have contained personal information. Information that may have been exposed included names, dates of birth, Social Security numbers, driver’s license information, passport numbers, financial account information, medical information and insurance information.

Those affected by the data breach are being offered two years of free identity protection and credit monitoring services from Experian plc.

News Corp did not provide further details of whom they believe was behind the attack. Mandiant, now owned by Google LLC and the cybersecurity firm hired by News Corp. to investigate the breach, has previously pointed the finger at China, claiming that the data breach likely involved espionage activities.

“This is why protecting against attacks is so vitally important,” Javvad Malik, lead awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Detecting an intruder once they are inside an organization can be very difficult, especially if they have a long game in mind and move slowly.”

Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, said he thinks organizations need to do their due diligence, understand the true nature of the sensitive data they protect and find the right methods to guard their data.

“The best approach is to protect the data itself rather than the borders around it, an approach known as data-centric protection and which includes methods such as tokenization,” Shadabi explained. “Tokenization replaces sensitive information with benign but meaningless tokens, so even if hackers get to your data, it is unintelligible and therefore worthless to them.”

Image: News Corp