Shutterfly Employee Data Breach in Attack by Conti Ransomware Group • LegalScoops | #malware | #ransomware

On March 23, 2022, the California Attorney General’s Office reported that Shutterfly, Inc. had been exposed to a data breach stemming from a ransomware attack that exfiltrated the data of Shutterfly employees. The personal information that may have been accessed for Shutterfly employees includes:

  • Social Security Numbers
  • Salary and Compensation Information
  • Information related to Family and Medical Leave Act (FMLA) leave
  • Workers’ compensation claims

At least 1,406 Shutterfly employees may have been affected by this attack. The full text of the Shutterfly Notice of Data Breach can be found here.

For a free privacy consultation fill out the form below or call us at (844) BREACH8 – (844) 273-2248).

Shutterfly issued a public statement on December 26, 2021, disclosing that it “recently experienced a ransomware attack on parts of our network.” While the company experienced interruptions of its corporate systems, it did not reveal that employee data may have been compromised until now.

While not much detail appears in the required data breach notification posted with the California Attorney General’s Office, the publication BleepingComputer, reported that Shutterfly’s attack was perpetrated by the Conti ransomware group, which set up a data leak page containing screenshots to prove they had successfully exfiltrated the personal data of Shutterfly employees.

Some of the personal data captured by the Conti group has reportedly been publicly disclosed on the dark web. The FBI issued a Flash Alert about Conti ransomware attacks in May, 2021.

The California Consumer Privacy Act Protects You

In 2018, California passed the California Consumer Privacy Act (CCPA). This law contains many protections for personal information of California residents.

If certain types of personal information, like Social Security Numbers and medical information, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA.

If you are a California resident and received a Recent Notice of Data Breach from Shutterfly, you may be entitled to between $100 and $750 or your actual damages, whichever is greater.

Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again) and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.

For more information on your options fill out the form below or call us at (844) BREACH8 – (844) 273-2248).

What can you do if you received a Shutterfly Data Breach Notice?

Shutterfly suggests steps to take to protect your personal data, and is offering affected consumers a two-year membership in Equifax Credit Watch™ Gold.

Be aware that the Data Breach Notice says consumers have to enroll to take advantage of this offer, and there is an enrollment deadline for the Equifax membership of May 31, 2022 to do so.

Will Following the Steps in the Shutterfly Data Breach Notice Prevent My Personal Information From Being Sold on the Dark Web?

“Dark web” monitoring can sometimes tell you if your information is being offered for sale to cyber thieves but cannot actually prevent the sale of that information.

Shutterfly’s data breach notice states that Credit Watch™ Gold includes WebScan notifications with the following caveat:

“WebScan searches for your Social Security Number, up to 5 passport numbers, up to 6 bank account numbers, up to 6 credit/debit card numbers, up to 6 email addresses, and up to 10 medical ID numbers. WebScan searches thousands of Internet sites where consumers’ personal information is suspected of being bought and sold, and regularly adds new sites to the list of those it searches. However, the Internet addresses of these suspected Internet trading sites are not published and frequently change, so there is no guarantee that we are able to locate and search every possible Internet site where consumers’ personal information is at risk of being traded.”

Unfortunately, if you are the victim of a data breach you will still need to be on the lookout. You must remain ever watchful for unapproved credit card charges, identify theft, tax fraud and other illegal uses of your personal information.

As Electronic Personal Data Doesn’t Degrade, Two Years Of Identity Theft Services Offered by Shutterfly May Not Be Enough

Identity theft is on the upswing. In 2018 approximately 23 million people in the United States reported that they had been victims of identity theft within the previous year.[1] By 2021, there were over 50 million personal records compromised nationwide; with the T-Mobile data breach alone affecting 6 million consumers. Even Equifax and Experian, which are in the business of offering credit monitoring services, have experienced massive data breaches, affecting over 150 million people.

For a free privacy consultation fill out the form below or call us at (844) BREACH8 – (844) 273-2248).

Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is low (under $20 per record, depending on the type of information according to Privacy Affairs Dark Web Index of 2021). Certain critical types of personal information – like social security numbers, names, and birth dates – are almost impossible to change. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.

Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.

Businesses Should Be Held Accountable For Data Breaches

Many businesses amass huge troves of personal data about consumers and keep that data indefinitely for future profits. When companies use this strategy, keeping your personal information secure from cyber criminals is their responsibility. When you trust businesses with data that can be used to identify you, they owe you an obligation to use good privacy and security practices to keep your data safe.

When businesses decide to collect and keep personal data about California employees, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals.

This personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[2] The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[3]

We Can Help You Exercise Your CCPA Rights

Every case is unique. Even when your data has been part of a breach, despite the provisions of the CCPA you may not be awarded compensation.

Experienced data breach and class action attorneys can help you exercise your rights, evaluate your options and decide whether you are entitled to compensation under the CCPA. There are no out of pocket costs to you, as we only get paid if we prevail.

For more information on your options, please fill out the following form.


[1] Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021.

[2] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).

[3] Same.

Original Source link

Leave a Reply

Your email address will not be published.

five + two =