Skip to content

Photo provider Portraitbox: Extortion following security incident?

(Image: MheePanda/Shutterstock.com). Unidentified attackers apparently extracted data via a poorly secured API and then deleted it. Thousands of photographers and their customers are affected. The photo provider Portraitbox is apparently being extorted following a cyberattack. Various sources report this citing affected parties. The Paderborn-based company offers professional photographers a shop and gallery system with which they can send their customers digital contact sheets for photo orders. The galleries are currently offline, and various photo studios have already informed their customers. Over the weekend of May 16 and 17, 2026, attackers apparently gained access to Portraitbox’s AWS accounts, downloaded all photos and customer data stored there, and then deleted them. They are threatening to publish the data, according to reports the portal anwalt.de [1] has received. Who the extortionists are and what ransom they are demanding is currently unclear. Portraitbox does not appear on the usual leak sites and portals, possibly to avoid jeopardizing ongoing ransom negotiations. All galleries created by photo studios and freelance photographers for their customer images are affected. Such galleries serve to order photos as prints after a photo session and to facilitate later reorders. Portraitbox also handles order processing and sends notification emails for its customers. The names, email and delivery addresses of the photographed individuals are also among the stolen data. Access credentials, usually automatically generated and sent via email access codes, have also reportedly gone missing. Keep moving, nothing to see: Portraitbox’s photo galleries are offline following a security incident. Portraitbox has approximately 2,000 customers from the photography industry. If each of these photo studios has photographed only 100 people, 200,000 affected individuals would be recorded. Sensitive: Portraitbox is not only used for normal family photos, but also for school or kindergarten photos – many of those affected were therefore minors at the time the photos were taken. Photographers should report the incident promptly. The company has informed its customers – the photo studios – but not the end customers. This is permissible under data protection law because: From a data protection perspective, Portraitbox acts as a so-called processor. Responsibility for data processing remains with the photographer themselves. This means: All photographers using Portraitbox must notify the relevant supervisory authority of the data protection incident and inform those affected – that is, all photographed individuals. Because: Since the attackers are allegedly threatening to publish the data and in some cases particularly sensitive images were taken (of children, but also intimate photos), this is a data protection incident with high risk. The 72-hour deadline for reporting to the supervisory authority, that is, the state data protection officer for the federal state in which the photographer is based, is approaching soon. Since Portraitbox sent an information email on May 20, only a few hours remain until Saturday for a timely report. It is likely that cybercriminals will follow through if ransom is not paid: Several years ago, ransomware gangs even published photos of breast cancer patients [2]. (cku [4]). URL of this article:. https://www.heise.de/-11304453. Links in this article:. https://www.anwalt.de/rechtstipps/datenpanne-bei-portraitbox-was-fotografen-jetzt-in-72-stunden-tun-muessen-270936.html. https://www.heise.de/news/Skrupellos-Cybergang-Alphv-veroeffentlicht-Patientenbilder-nach-Einbruch-7536239.html. https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp. mailto:cku@heise.de. Copyright © 2026 Heise Medien

heise security News

Share on: