Security incident at photo provider: Is Portraitbox being blackmailed?
Unknowns exfiltrated and deleted data via a poorly secured API. Thousands of photographers and customers are affected by the cyberattack.
(Image: MheePanda/Shutterstock.com)
The photo provider Portraitbox is apparently being blackmailed following a cyberattack. This is reported by various sources, citing affected individuals. The Paderborn-based company offers professional photographers a shop and gallery system with which they can send digital contact sheets to their customers, for example for photo orders. The galleries are currently offline, and various photo studios have already informed their customers.
Over the weekend of May 16 and 17, 2026, attackers apparently gained access to Portraitbox's AWS accounts, downloaded all photos and customer data stored there, and then deleted them. They are threatening to publish the data, as the portal anwalt.de has learned. It is currently unclear who the blackmailers are or what ransom they are demanding. Portraitbox does not appear on the usual leak sites and portals, possibly to avoid jeopardizing ongoing ransom negotiations.
All galleries that photo studios and freelance photographers have created for their customer images are affected. Such galleries are used after a photo session to order photos as prints and to simplify later reorders. Portraitbox also handles order processing and the dispatch of notification emails for its customers. The names, email addresses, and delivery addresses of those photographed are also among the stolen data. The access data, usually automatically generated access codes sent via email, have reportedly also been compromised.
Portraitbox has around 2000 customers from the photography industry. If each of these photo studios has photographed only 100 people, that means 200,000 people are affected. Sensitive issue: Portraitbox is not only used for normal family photos, but also for school or kindergarten photos – so many affected individuals were minors at the time of the photo shoot.
Photographers should report the incident promptly
The company has informed its customers, the photo studios – but not the end customers. This is permissible under data protection law because: Portraitbox acts as a processor under data protection law. The photographer themselves remains responsible for data processing. This means: All photographers using Portraitbox must notify the responsible supervisory authority of the data protection incident and inform the affected parties – i.e., all those photographed –. Because: Since the attackers are allegedly threatening to publish the data and sometimes particularly sensitive images were taken (of children but also erotic photos), this constitutes a high-risk data protection incident.
The 72-hour deadline for reporting to the supervisory authority, i.e., the state data protection officer for the federal state in which the photographer is based, is running out soon. Since Portraitbox already sent an information email on May 20, only a few hours remain until Saturday for a timely report. It is likely that the cybercriminals will follow through if the ransom is not paid. Several years ago, ransomware gangs even published photos of breast cancer patients.
(cku)
