When Montana Attorney General Austin Knudsen announced an investigation into Lee Enterprises in June 2025, it sent a clear message: data breaches aren’t just a corporate headache they’re a consumer protection issue with real stakes. The probe, launched under Montana’s Consumer Protection Act, targets a February 2025 cyberattack that exposed the personal information of nearly 40,000 employees and subscribers of the Iowa-based media company, which owns major Montana newspapers like the Billings Gazette and Missoulian. For those of us in the privacy world, this investigation is a wake-up call, highlighting the growing scrutiny on how businesses handle sensitive data and the ripple effects when they fail to protect it. It’s also a reminder that even media companies, often seen as stewards of public trust, aren’t immune to the fallout of a data breach.
The cyberattack, attributed to the Qilin ransomware gang, hit Lee Enterprises hard, disrupting print and digital operations and compromising names, Social Security numbers, and other sensitive details. Knudsen’s investigation isn’t just about pointing fingers—it’s about digging into how Lee collects, uses, and protects customer data, and whether it met its legal obligations to notify affected Montanans promptly. The Civil Investigative Demand (CID) issued on June 18, 2025, gives Lee until July 18 to answer tough questions: What data was collected? Why was it needed? And when, exactly, did Lee inform its customers? For privacy professionals, this probe underscores the importance of transparency and accountability in a world where data breaches are all too common.
Three Critical Questions the Investigation Raises
Knudsen’s probe into Lee Enterprises shines a spotlight on key issues that businesses and privacy professionals need to grapple with in the wake of a data breach:
- Was Notification Timely and Adequate? Montana law requires companies to notify the state’s consumer protection office and affected individuals when a breach compromises personal data. Lee reported the breach to the Maine Attorney General’s Office on June 3, 2025, stating it discovered the data exposure on May 28, nearly four months after the February 3 attack. The investigation will likely probe whether this delay meets Montana’s standards for prompt notification and whether Lee’s communications to customers were clear and comprehensive.
- How Secure Were Lee’s Data Practices? The CID demands details on the type of information Lee collects and its business purpose. Social Security numbers, in particular, are a red flag—why does a media company need such sensitive data, and how was it protected? The investigation will assess whether Lee’s cybersecurity measures were robust enough to prevent a breach of this scale.
- What Are the Broader Implications for Compliance? With nearly 40,000 people affected, including Montanans, the probe will evaluate whether Lee complied with consumer protection laws. This could set a precedent for how media companies, and others handling personal data, are held accountable for breaches, especially as state-level scrutiny intensifies.
Steps Businesses Can Take to Stay Ahead
The Lee Enterprises investigation offers lessons for any organization handling personal data. Here are practical steps to strengthen compliance and reduce risk:
- Conduct Regular Security Audits: Proactively assess systems to identify vulnerabilities before hackers do. Regular audits can help ensure that sensitive data, like Social Security numbers, is encrypted and access is tightly controlled.
- Minimize Data Collection: Collect only what’s necessary for business purposes. If Lee’s investigation reveals excessive data collection, it could face penalties and loss of consumer trust.
- Develop a Robust Incident Response Plan: A clear plan for detecting, responding to, and notifying about breaches can reduce delays and demonstrate compliance. Lee’s four-month gap between the breach and notification raises red flags that businesses should avoid.
- Train Employees on Data Protection: Human error is a leading cause of breaches. Regular training can help staff recognize phishing attempts and other tactics used by groups like Qilin.
The Lee Enterprises breach isn’t an isolated incident. It follows a pattern of high-profile cyberattacks, like the 2024 breach of a major ID verification provider, which exposed thousands of records. What makes this case stand out is the public nature of Lee’s business—newspapers are trusted institutions, and a breach of subscriber data feels like a betrayal. Knudsen’s investigation, as he stated, aims to “protect Montanans by ensuring companies that collect and store our personal and financial information do so responsibly.” That’s a mandate privacy professionals can’t ignore, especially as state attorneys general take a harder line on data protection.
The broader context here matters. Montana is one of many states tightening the screws on data privacy, with laws like the Consumer Protection Act empowering regulators to act swiftly. The Lee probe comes on the heels of other Knudsen-led investigations, like one into MSCI Inc. for alleged discriminatory practices, showing a willingness to use consumer protection laws broadly. For businesses, this means compliance isn’t just about checking boxes—it’s about building systems that can withstand both cyberattacks and regulatory scrutiny.
The investigation also highlights the human cost of data breaches. Social Security numbers, once exposed, can fuel identity theft, financial fraud, and years of headaches for victims. Lee has promised free credit monitoring for affected individuals, but for many, that’s cold comfort after the fact. As The Register noted, the Qilin gang’s involvement suggests a sophisticated attack, likely with ties to Russia, underscoring the global nature of cyber threats. Businesses can’t just hope to avoid hackers; they need to assume breaches will happen and plan accordingly.
For privacy professionals, the Lee Enterprises case is a chance to rethink how we advise clients. It’s not enough to have a privacy policy in place—companies need to show they’re acting on it. This means investing in encryption, limiting data retention, and being transparent about breaches when they occur. Lee’s pledge to cooperate with Knudsen’s investigation is a start, but the real test will be what the CID uncovers. Did Lee know about the breach earlier than reported? Were its cybersecurity measures up to par? And how will it rebuild trust with subscribers who now know their data was compromised?
Looking ahead, this probe could have ripple effects beyond Montana. Lee operates in 25 states, and other attorneys general may follow Knudsen’s lead, especially if the investigation reveals systemic failures. The media industry, already struggling with declining revenues, can ill afford the reputational hit of a mishandled breach. For privacy professionals, this is a reminder to advocate for proactive measures—waiting for a regulator’s letter isn’t a strategy. As Knudsen put it, “Identity theft associated with data breaches threatens Montanans’ financial security.” That’s a call to action for any business handling personal data, whether it’s a newspaper or an adult website facing age verification laws.
The Lee Enterprises investigation is still unfolding, but it’s already a case study in the stakes of data privacy. It’s a chance for businesses to learn from mistakes, for regulators to set clearer standards, and for privacy professionals to push for better practices. As Montana digs into Lee’s data practices, the rest of us should be asking: How can we do better to protect the people whose data we hold? The answer lies in vigilance, transparency, and a commitment to putting privacy first—before the next breach makes headlines.
