Shutterfly customer data not exposed in latest breach

Personalized photo products leader Shutterfly was again the target of a data breach but said customer data was not exposed. According to Cybernews, Shutterfly was the latest in a batch of high-profile victims – like Warner Bros. Discovery and AMC Theatres – announced by the Russian-affiliated Cl0p ransomware group.

Shutterfly’s Vice President of Communications, Jennifer George, confirmed to Cybernews the company had been impacted but no customer data was compromised in the attack.

“Shutterfly’s enterprise business unit, Shutterfly Business Solutions (SBS), has used the MOVEit platform for some of its operations,” Shutterfly said in a statement sent directly to Cybernews.

“Upon learning of the vulnerability in early June, the company quickly took action, taking relevant systems offline, implementing patches provided by MOVEit, and commencing a forensics review of certain systems with the assistance of leading forensic firms,” the statement continued.

“After a thorough investigation with the assistance of a leading third-party forensics firm, we have no indication that any Shutterfly.com, Snapfish, Lifetouch, nor Spoonflower consumer data nor any employee information was impacted by the MOVEit vulnerability,” it said.

According to Cybernews, the Russian-linked Cl0p ransom group claimed responsibility for exploiting a zero-day flaw in the MOVEit file transfer system on their dark leak site on June 14. In June, Clop told the BleepingComputer site that, by exploiting this flaw, it had breached servers belonging to “hundreds of companies” to steal data.

Shutterfly was breached in December, 2021, by the Conti ransomware attack, when some employee data was exposed, and in 2018.