Shutterfly reports ransomware attack; Lifetouch and BorrowLenses affected

Personalized photography leader Shutterfly reported a ransomware attack on Sunday, Dec. 26. The incident was first made public by Bleeping Computer, which claimed a source identified the attackers as the Conti ransomware group.

In a statement (reproduced below) Shutterfly said portions of the Lifetouch and BorrowLenses business were affected. They experienced interruptions with Groovebook, manufacturing offices, and some corporate systems as well. Shutterfly.com, Snapfish.com, TinyPrints.com, and Spoonflower were not impacted.

According to the Bleeping Computer report, Conti created a private Shutterfly data leak page containing screenshots of files allegedly stolen during the ransomware attack, as a  “double-extortion” tactic. The attackers threaten to make this page public if a ransom is not paid.

BleepingComputer was told these screenshots include legal agreements, bank and merchant account info, login credentials for corporate services, spreadsheets, and what appears to be customer information, including the last four digits of credit cards. Shutterfly, however, states customer information was not impacted by the breach:

“As part of our ongoing investigation, we are also assessing the full scope of any data that may have been affected. We do not store credit card, financial account information, or the Social Security numbers of our Shutterfly.com, Snapfish, Lifetouch, TinyPrints, BorrowLenses, or Spoonflower customers, and so none of that information was impacted in this incident.”

Bleeping Computer added the attack started about two weeks ago and involves a ransom demand in the millions.

Shutterfly’s statement is below:

Shutterfly, LLC recently experienced a ransomware attack on parts of our network. This incident has not impacted our Shutterfly.com, Snapfish, TinyPrints or Spoonflower sites. However, portions of our Lifetouch and BorrowLenses business, Groovebook, manufacturing and some corporate systems have been experiencing interruptions. We engaged third-party cybersecurity experts, informed law enforcement, and have been working around the clock to address the incident.

As part of our ongoing investigation, we are also assessing the full scope of any data that may have been affected. We do not store credit card, financial account information or the Social Security numbers of our Shutterfly.com, Snapfish, Lifetouch, TinyPrints, BorrowLenses, or Spoonflower customers, and so none of that information was impacted in this incident. However, understanding the nature of the data that may have been affected is a key priority and that investigation is ongoing. We will continue to provide updates as appropriate.