Understand Your Rights. Solve Your Legal Problems
The media company, which owns more than 300 newspapers and specialty publications across 25 states, including the Quad-City Times, Sioux City Journal, and Waterloo-Cedar Falls Courier, is under mounting legal pressure over alleged data privacy violations.
Three separate lawsuits were filed this month in U.S. District Court for the Southern District of Iowa. The plaintiffs—Nicole Church of Illinois, Declan Lawson of Montana, and Anthony Bangert of Wisconsin—are current or former Lee employees alleging:
Negligence
Invasion of privacy
Unjust enrichment
Breach of implied contract
Each suit seeks class-action status on behalf of thousands of Lee workers whose personal information was allegedly compromised in a February 2025 cyberattack. The plaintiffs claim the company failed to implement basic security protocols, such as encryption and system monitoring, to prevent unauthorized access.
According to the complaints, Lee began notifying affected employees on June 3, 2025, but allegedly provided little transparency about the scope of the breach or the vulnerabilities exploited.
One lawsuit calls the notification “no real disclosure at all,” stating that the lack of specifics made it difficult for victims to protect themselves from potential fraud or identity theft.
Lee has not yet responded in court, and a company spokesperson, Tracy Rouch, declined to comment on pending litigation.
Lee previously confirmed it had spent $2 million restoring its data systems following the February attack, which disrupted billing and vendor payments.
The Qilin ransomware group claimed credit for the breach, asserting it had accessed 350 gigabytes of sensitive data—including contracts, financial records, and NDAs. In filings with the SEC and the Maine attorney general, Lee disclosed the breach affected 39,779 individuals and exposed names, Social Security numbers, driver’s license data, medical and insurance information, and bank details.
The new employee lawsuits come just months after Lee reached a $9.5 million settlement in a separate class-action case filed by subscribers — a case that underscores the power of group litigation (see our What Is a Class Action? Explainer for more).
In that case, more than 1.5 million Lee newspaper subscribers alleged the company improperly shared personal data—including video viewing history—with Facebook through tracking tools embedded in Lee’s websites.
According to the lawsuit, individuals could match specific Facebook users to the videos they watched on Lee sites, violating privacy protections.
The class-action suit, filed in 2022, sought both monetary damages and a court order requiring Lee to obtain informed consent before sharing any subscriber data with third parties.
The case was mediated in November 2024 before Judge Wayne R. Andersen in Florida. Andersen proposed the $9.5 million figure, which was accepted by both sides.
The settlement applies to all paid subscribers who accessed video content on Lee websites between December 2020 and March 4, 2025, and who also used Facebook during that time.
In court filings supporting the agreement, both sides wrote that the payout “will yield a significant benefit” to affected users while avoiding drawn-out litigation. The settlement also includes changes to Lee’s digital privacy practices.
A final court hearing to approve the deal is scheduled for August 7, 2025.
This is not the first time Lee’s data systems have been compromised. In 2020, the company was targeted by Iranian hackers as part of a broader campaign to spread disinformation during the U.S. presidential election.
Two Iranian nationals were later charged with conspiracy to commit computer fraud, intimidation of voters, and making interstate threats. That federal criminal case remains open.
Lee Enterprises agreed to a $9.5 million settlement with subscribers over unauthorized data sharing with Facebook.
The company now faces three new class-action lawsuits from employees claiming their personal data was exposed in a February 2025 ransomware attack.
Lee has confirmed at least $2 million in recovery costs and the exposure of sensitive data for nearly 40,000 people.
A final ruling on the subscriber settlement is set for August 7, 2025.
1. What is the Lee Enterprises $9.5 million settlement about?
The $9.5 million settlement resolves a class-action lawsuit alleging that Lee Enterprises shared subscriber video-viewing data with Facebook without proper consent, violating privacy laws.
2. Who is affected by the Lee Enterprises data breach?
The February 2025 breach impacted 39,779 current and former Lee employees, exposing sensitive information such as Social Security numbers, medical data, and financial details.
3. What is the Qilin ransomware group’s role in the Lee cyberattack?
The Qilin group has claimed responsibility for the cyberattack on Lee Enterprises, alleging it accessed 350 GB of confidential company and employee data.
Interested in more high-profile legal showdowns and the laws behind them? Check out these in-depth features:
Top 5 Trademark Disputes of All Time – From Apple vs. Apple Corps to Nike’s logo wars, explore the courtroom battles that reshaped brand protection forever.
Where Did the Menendez Brothers’ Money Go? – A financial deep-dive into the infamous double murder case and the hidden fortune behind it.
Hulk Hogan’s “Real American Beer” Faces Legal Trouble Over Alleged IP Theft – The wrestling icon enters a new ring: trademark law.
Surviving Slender Man: The Long Road to Recovery for Payton Leutner – The emotional and legal journey following one of the internet’s most disturbing criminal cases.
