Lee Enterprises, the Iowa-based newspaper chain that owns hundreds of publications in 25 states, including several in Montana, has agreed to pay $9.5 million to settle a subscriber privacy lawsuit — even as it confronts fresh legal troubles from a February 2025 cyberattack that allegedly exposed the personal information of thousands of employees.
Three new lawsuits filed this month in U.S. District Court for the Southern District of Iowa accuse Lee of negligence, breach of implied contract, unjust enrichment, and invasion of privacy. The suits allege the breach could have been prevented had Lee encrypted sensitive files, trained staff on cybersecurity best practices, and implemented basic monitoring systems. One complaint argues the company’s disclosure of the incident “amounts to no real disclosure at all,” depriving workers of key details needed to protect themselves from potential harm.
Lee has yet to respond to the lawsuits in court and has declined public comment. In prior statements, the company said it incurred $2 million in recovery costs after the cyberattack, which disrupted its billing and vendor payments.
The Qilin ransomware group has claimed responsibility, asserting it stole 350 gigabytes of company data — including contracts, spreadsheets, and confidential agreements — and released samples online. Regulatory filings indicate the breach involved 39,779 individuals’ personally identifiable information, ranging from Social Security numbers and driver’s license data to bank account details and medical records.
The incident is not Lee’s first brush with cybercrime. In 2020, federal prosecutors accused Iranian hackers of infiltrating the company’s systems to spread election-related disinformation; two Iranian nationals were later charged in connection with the scheme, a criminal case that remains active.
The $9.5 million settlement stems from a separate December 2022 class-action lawsuit brought by subscribers. That case alleged Lee’s websites contained tracking tools that sent users’ viewing data to Facebook without proper consent, potentially linking named Facebook users to specific videos they watched. Plaintiffs sought to force Lee to remove the tracking software and obtain explicit permission for any data sharing. The settlement, reached in March 2025, is pending court approval.
By: BSH staff