Redwood City, California-based photography and image sharing company, Shutterfly, was recently rocked by a ransomware attack. The company stated that the cyber incident primarily impacted portions of the subsidiary businesses Lifetouch, Grovebook, and BorrowLenses as well as certain facets of the manufacturing side of the house; the attack reportedly did not affect the company’s other ventures including shutterfly.com, Snapfish, TinyPrints, and Spponflower. The information stolen in this attack included
It is firmly believed by the company that the attack on the business was carried out by ransomware group Conti. These beliefs were sparked due to the findings of Shutterfly data on the ransomware group’s website. The group has demanded a ransom of Shutterfly in order to return the data which was taken, safely back to the home organizations within Shutterfly. Shutterfly has hired an external cybersecurity company to assist with responding to this attack and has notified law enforcement to try and ensure the proper action is taken as possible. Conti has reportedly requested a ransom which is in the millions.
Thankfully, if you were a customer of Shutterfly or one of their other companies’ sites, the company’s statement made it clear that they do not believe your monetary data has been put at risk: “As part of our ongoing investigation, we are also assessing the full scope of any data that may have been affected. We do not store credit card, financial account information, or the Social Security numbers of our Shutterfly.com, Snapfish, Lifetouch, TinyPrints, BorrowLenses, or Spoonflower customers, and so none of that information was impacted in this incident.”
As users of many different online sites, we put a certain level of trust in the hands of the companies with which we are sharing our data — however, with the massive number of data breaches encountered by businesses only growing more and more with each passing day, it is incredibly important that we do what we can to protect ourselves as well while still allowing ourselves to navigate the online world confidently.
Use of strong, unique passwords for each site is your first and best defense when operating online. If your login information for one business is stolen in one company’s data breach, you are in a much better position if you have stuck to keeping each password unique from the others — if you are a person who uses the same or very similar passwords for every site, a malicious actor who gains access to your credentials for the one, breached company now has the golden key to use this information to gain access to all of the other accounts you have with the same cookie-cutter login information. Though you have no control over whether or not a company will encounter a data breach, you do have to power to control how far a hacker gets with the information they take in that data breach.
In addition to strong password use, it is important to be careful to only share necessary information with each site you encounter. Similarly to navigating applications on your phone safely, do not give sites access to things like your current location or financial information if that is not information needed to conduct whatever business you are trying to conduct. Use sites that are secure (https!!) and if something feels phishy when you’re out there online, it probably is.