Shutterfly, Inc. Provides Notice of Data Breach to Additional Employees | Console and Associates, P.C.
In March of this year, Shutterfly sent out data breach notification letters to roughly 1,400 employees following a ransomware attack. More recently, Shutterfly, Inc. filed additional documents with various state governments indicating that the number of employees affected by the Shutterfly breach may be much higher than the company initially believed. According to the most recent filings, the Shutterfly breach appears to have resulted in the following data types being compromised: name, address, Social Security number, government-issued identification, financial information, medical information and healthcare information. On May 29, 2022, Shutterfly provided notice of the breach to all employees whose information was leaked as a result of the incident.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Shutterfly data breach, please see our recent piece on the topic here.
What We Know About the Shutterfly Data Breach
On December 13, 2021, Shutterfly learned that it had been the target of a ransomware attack on around December 3, 2021. In response, Shutterfly enlisted the assistance of cybersecurity experts to investigate the incident. This investigation confirmed that an unauthorized party was able to access sensitive employee data stored on the company’s servers.
Initially, Shutterfly believed that approximately 1,400 employees were impacted by the breach. The company sent out initial data breach letters to these parties on March 22, 2022. At the time, the company believed that the compromised information was limited to certain employees’ names, Social Security numbers, salary and compensation information, and information related to FMLA leave or workers’ compensation claims.
However, more recently, Shutterfly filed a subsequent notice of the breach with various state governments. In this notice, Shutterfly indicates that the breach may have affected thousands of more employees than the company originally thought. Moreover, the data types included in the breach have expanded to include: names, addresses, Social Security numbers, government-issued identification numbers, financial information, medical information and healthcare information.
On May 29, 2022, Shutterfly sent additional data breach letters to all employees who were affected by the breach.
What Are Ransomware Attacks, and Can Companies Prevent Them?
Ransomware attacks are one of the most common cyberattacks used by hackers. According to the Identity Theft Resource Center, the number of ransomware attacks against U.S. companies more than doubled between 2020 and 2021, from 158 in 2020 to 321 in 2021. These figures make ransomware attacks the second-most used type of cyberattack, behind phishing attacks.
There are a few ways hackers can carry out a ransomware attack. On the most basic level, a ransomware attack involves a hacker installing malicious software on the victim’s device or computer network. This malicious software often encrypts that data on the victim’s device, preventing them from logging on and accessing their system. The malicious software also gives the hackers access to the data on the device or computer network.
When a victim tries to get back into their system, hackers leave a notice for the victim, demanding they pay a ransom before being allowed to access their device. In most cases, hackers orchestrate ransomware attacks to force companies to pay a monetary ransom. If a company does not comply with the hackers’ demands—and sometimes even if they do—the hackers will post the information they obtained onto the Dark Web.
The Federal Bureau of Investigation recognizes the serious threat posed by ransomware attacks and has provided companies with guidance on how to decrease the likelihood of a ransomware attack. According to the FBI, organizations should keep the following in mind to reduce the chances of falling victim to a ransomware attack:
Do not click on unsolicited attachments or links in emails;
Frequently back up all critical data;
Implement least privilege for file, directory, and network share permissions.
Install and regularly update anti-virus or anti-malware software on all hosts;
Only use secure networks and avoid using public Wi-Fi networks;
Secure back-ups to ensure data is not accessible from the system where the original data is kept;
Use authenticator apps rather than email because cybercriminals may gain control of employee email accounts;
Use two-factor authentication for user login credentials; and
When backing up data, ensure copies are uploaded to the cloud or downloaded to an external hard drive.
This advice makes it clear that companies can—and should—take steps to limit the risk of ransomware attacks. Unfortunately, not every company takes its data security obligations as seriously as they should.