Shutterfly Employee Data Breach in Attack by Conti Ransomware Group

Update: Shutterfly Sends New Round of Data Breach Notices

California Class Action Investigation Underway

On June 2, 2022, Shutterfly issued another round of data breach notices to current and former employees who may have been affected by the ransomware attack it experienced on December 3, 2021.

According to the Notice, Shutterfly, based in Redwood City, California, did not discover the data breach until ten days after the initial compromise.

Initially, Shutterfly reported that only about 1,400 employees were affected by the breach. That number has now swelled to 52,777 affected individuals.

A sample of the new Data Breach Notice can be found here.

This attack has been attributed to being the work of the notorious Conti ransomware group. While Shutterfly sent some notices in March of this year, approximately six (6) months have elapsed between the Shutterfly data breach and this most recent round of California notices.

[original post]

On March 23, 2022, the California Attorney General’s Office reported that Shutterfly, Inc. had been exposed to a data breach stemming from a ransomware attack that exfiltrated the data of current and former Shutterfly employees. The personal information that may have been accessed for Shutterfly employees includes:

  • Social Security Numbers
  • Salary and Compensation Information
  • Information related to the Family and Medical Leave Act (FMLA)
  • Workers’ compensation claims

At least 1,406 Shutterfly employees may have been affected by this attack. The full text of the Shutterfly Notice of Data Breach can be found here.

Shutterfly issued a public statement on December 26, 2021, disclosing that it “recently experienced a ransomware attack on parts of our network.” While the company experienced interruptions of its corporate systems, it did not reveal that employee data may have been compromised until now.

While not much detail appears in the required data breach notification posted with the California Attorney General’s Office, the publication BleepingComputer, reported that Shutterfly’s attack was perpetrated by the Conti ransomware group, which set up a data leak page containing screenshots to prove they had successfully exfiltrated the personal data of Shutterfly employees.

Some of the personal data captured by the Conti group has reportedly been publicly disclosed on the dark web. The FBI issued a Flash Alert about Conti ransomware attacks in May 2021.

The California Consumer Privacy Act Protects You

In 2018, California passed the California Consumer Privacy Act (CCPA). This law contains many protections for the personal information of California residents.

Suppose certain types of personal information, like Social Security Numbers and medical information, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security. In that case, an affected California resident can sue to protect their rights under the CCPA.

Participants in data breach lawsuits can recover damages, injunctive relief (to ensure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.

What can you do if you receive a Shutterfly Data Breach Notice?

Shutterfly suggests steps to protect your personal data and offers affected consumers a two-year membership in Equifax Credit Watch™ Gold.

Be aware that the Data Breach Notice says consumers have to enroll to take advantage of this offer, and there is an enrollment deadline for the Equifax membership of May 31, 2022, to do so.

Will Following the Steps in the Shutterfly Data Breach Notice Prevent My Personal Information From Being Sold on the Dark Web?

“Dark web” monitoring can sometimes tell you if your information is being offered for sale to cyber thieves but cannot prevent the sale of that information.

Shutterfly’s data breach notice states that Credit Watch™ Gold includes WebScan notifications with the following caveat:

“WebScan searches for your Social Security Number, up to 5 passport numbers, up to 6 bank account numbers, up to 6 credit/debit card numbers, up to 6 email addresses, and up to 10 medical ID numbers. WebScan searches thousands of Internet sites where consumers’ personal information is suspected of being bought and sold, and regularly adds new sites to the list of those it searches. However, the Internet addresses of these suspected Internet trading sites are not published and frequently change, so there is no guarantee that we are able to locate and search every possible Internet site where consumers’ personal information is at risk of being traded.”

Unfortunately, if you are the victim of a data breach, you will still need to be on the lookout. It would be best if you remained watchful for unapproved credit card charges, identify theft, tax fraud, and other illegal uses of your personal information.

As Electronic Personal Data Doesn’t Degrade, Two Years Of Identity Theft Services May Not Be Enough

Identity theft is on the upswing. In 2018 approximately 23 million people in the United States reported being victims of identity theft the previous year.[1] By 2021, over 50 million personal records were compromised nationwide, with the T-Mobile data breach alone affecting 6 million consumers. Even Equifax and Experian, which are in the business of offering credit monitoring services, have experienced massive data breaches, affecting over 150 million people.

Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is low (under $20 per record, depending on the type of information, according to Privacy Affairs Dark Web Index of 2021). Certain critical types of personal data – like social security numbers, names, and birth dates – are almost impossible to change. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.

Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and anxiety over future losses and identity theft.

Corporations Should Be Held Accountable For Data Breaches

Many businesses amass vast troves of personal data about consumers and keep that data indefinitely for future profits. When companies use this strategy, keeping your personal information secure from cyber criminals is their responsibility. When you trust businesses with data that can be used to identify you, they owe you an obligation to use good privacy and security practices to keep your data safe.

When businesses collect and keep personal data about California employees, under California law, they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals.

This personal data is incredibly valuable to businesses and criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, training, practices, and procedures to protect consumers properly.”[2] The stakes are high: Data breach victims are more likely to be victims of additional fraud.[3]


[1] Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021.

[2] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).

[3] Same.