Shutterfly Data Breach Investigation: Conti Ransomware Group Reportedly Responsible
The Attorneys General of California, Vermont, Maine, Indiana and others have reported that Shutterfly, Inc. has been exposed to a data breach resulting from a ransomware attack that exfiltrated the data of Shutterfly employees. The Conti Ransomware Group was reportedly able to breach Shutterfly security and copy sensitive employee personal data.
Approx. Date of Breach: December 3, 2021
Date of California Notice: March 23, 2022
Personal Information Which May Have Been Compromised:
• Social Security Numbers
• Salary and Compensation Information
• Information related to Family and Medical Leave Act (FMLA) leave
• Workers’ compensation claims
The full text of the Shutterfly Notice of Data Breach can be found here.
The FBI Has Been Warning About Conti Ransomware Attacks For 11 Months
The FBI issued a Flash Alert about Conti ransomware attacks in May, 2021, after having determined that at least 16 ransomware incidents were perpetrated by the group. According to the FBI, the Conti group operates in a manner typical of ransomware operations, stealing personal information (PI) from businesses whose security is vulnerable, locking the company out of its network, and then demanding a ransom payment to avoid having the stolen PI publicly sold on the dark web.
Conti members use malicious email links, attachments, and stolen Remote Desktop Protocol credentials to infiltrate business networks. Word documents then deploy ransomware into compromised networks. If there is no response to the ransomware after 2 to 8 days, businesses are often contacted by phone to negotiate. The Flash Alert suggests mitigating steps businesses should take to avoid having their customers and employees victimized.
In September, 2021, with updates as recently as March 9, 2022, the FBI, DOJ, NSA and Cybersecurity & Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory regarding the Conti Ransomware cyber threat. The Advisory details areas prone to exploitation by the cyber threat group, how to spot infiltration, and how to prevent attacks.
Businesses Should Be Held Accountable For Data Breaches
Many businesses amass huge troves of personal data about consumers and keep that data indefinitely for future profits. This personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”¹ The stakes are high: Data breach victims are more likely to also be victims of additional fraud.²
When businesses decide to collect and keep personal data about California employees, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals.
For more information about the Conti group's reported attack on Shutterfly, click here.
The California Consumer Privacy Act Protects Data Breach Victims
California passed the most comprehensive state privacy law in the nation in 2018, the California Consumer Privacy Act (CCPA). The law contains many personal information protections for California consumers, employees, and residents generally. Under the CCPA, California residents who received a Shutterfly Data Breach Notice may be entitled to between $100 and $750 or their actual damages, whichever is greater.³
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again) and anything else a court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
We Can Help You Exercise Your Rights
Every case is unique. Even when your data has been part of a breach, you may not necessarily be awarded compensation. Experienced data breach class action attorneys can help you exercise your rights and evaluate your options and decide whether you are entitled to compensation under the CCPA. There are no out of pocket costs to you, as we only get paid if we prevail.
For more information on your legal options, please contact us using the form found here.
Links on this website are not intended to be referrals to, or endorsements of, the linked entities or imply any relationship to the linked site or its operator.
¹ Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016). ² Same ³ California Civil Code § 1798.150.