Event photography business DEPhoto hit by two consecutive data breaches
Learn More
DEphoto (DEphoto.biz), a UK-based photography business specializing in school, sports, club, and event photography, is hit by two consecutive cyberattacks in December 2024.
The first attack occurred on December 25, 2024, when threat actor 0mid16B gained direct access to the company's backend MSSQL server. After DEphoto allegedly restored their systems without implementing adequate protection or monitoring, a second attack followed on December 29, 2024, using credentials from the DB user login to access the front end.
The breaches exposed 555,952 customer records, 16,213 records containing full credit card details and hundreds of gigabytes of photos. Exposed Data includes:
- Customer names
- Postal addresses
- Email addresses
- Home phone numbers
- Mobile phone numbers
- Payment card information - card numbers, expiration dates, and CVV codes
- IP addresses (for franchise promotion respondents)
- photos, including children's photographs
- Two databases: dephoto.bak and dephoto.mdf, containing over 12GB of data
The threat actor demanded 50,000 GBP (approximately $62,741.16) in ransom on December 27, 2024, communicating with the company's IT developer via WhatsApp. The company did not respond to the demand.
DEphoto began notifying affected customers via email around December 28, 2024. The incident revealed potential GDPR compliance issues, as customers reported that their data had been retained for up to 10 years after their purchases, seemingly in contradiction to the company's own data retention policy which states "The company will retain personal data for no longer than is necessary." The company's privacy policy was last updated in May 2018, when GDPR took effect.
The threat actor has stated their intention to list the 500,000 customer database for sale and release the remaining data for free. As of the initial report, DEphoto had not posted any notice about the incident on their website.
