Online retail and photography manufacturing platform Shutterfly has disclosed a data breach that exposed employee information after threat actors stole data during a Conti ransomware attack. Shutterfly offers photography-related services to consumers, the enterprise, and education through various brands, including Shutterfly.com, BorrowLenses, GrooveBook, Snapfish, and Lifetouch. Today, Shutterfly disclosed that its network was breached on December 3rd, 2021, due to a ransomware attack. During ransomware attacks, threat actors will gain access to a corporate network and steal data and files as they spread throughout the system. Once they gain access to a Windows domain controller, and after harvesting all valuable data, they deploy their ransomware to encrypt all network devices. According to Shutterfly’s data breach notification, the Conti threat actor deployed the ransomware on December 13th, 2021, when the company first became aware that they were compromised. “The attacker both locked up some of our systems and accessed some of the data on those systems. This included access to personal information of certain people, including you,” reads Shutterfly’s data breach notification filed with the California Attorney General’s Office.
Ransomware remains one of the most serious cybersecurity threats to organizations large enough to pay a ransom. It is now standard practice for ransomware gangs to also exfiltrate data to be used as leverage to extort organizations with the threat of leaking it on their website, even if they are able to restore from backups and continue operations. Thus, it is crucial to prevent ransomware incidents from happening in the first place, even if you have multiple backups and a rigorous, practiced incident response plan. Initial access to networks is often gained by phishing attacks, or by bruteforcing RDP or VPNs exposed to the Internet. Train employees to spot and report phishing emails, and to never enable macros on Office documents unless there is absolutely a confirmed business need to do so. Beyond this, it is important to have good endpoint monitoring with an EDR solution and a competent SOC to triage the alerts, whether that be an internal team or a service like Binary Defense.