Cyber Incident Victim: Creator Studio Pro
Date:
Feb 2024
Location:
Canada
Summary
A ransomware attack compromised Entourage's Creator Studio Pro yearbook software platform via stolen developer credentials on its Canadian AWS server, affecting photos uploaded for school yearbooks over a two-year period. The threat actors exfiltrated raw image files but did not access identifying student information or yearbook text templates; limited metadata like geolocation may have been present depending on upload sources. Following negotiations facilitated by cybersecurity advisors, the attackers returned all Canadian photo files with deletion assurances, while third-party web monitoring confirmed no distribution. The impacted service provider implemented containment measures including server decommissioning, credential rotation, developer access restrictions, and security audits to prevent recurrence. Edge Imaging, whose systems remained unaffected, coordinated breach notifications through school boards and initiated yearbook reconstruction efforts with affected institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 5, 2024, Entourage, the owner of the Creator Studio Pro yearbook software platform, identified a cyber incident on its Canadian AWS cloud server. The breach originated from a compromised developer username and password associated with one of Entourage’s server accounts, enabling unauthorized access. This led to a ransomware attack in which threat actors exfiltrated photo images stored in a specific storage container. Edge Imaging, a yearbook provider utilizing Creator Studio Pro as a third-party service, was notified of the incident and subsequently alerted affected school boards, including the Upper Grand District School Board (UGDSB), on February 8, 2024. The breach impacted six UGDSB schools—Centennial CVI, Guelph CVI, Wellington Heights SS, Centre Dufferin DHS, Edward Johnson PS, and Ken Danby PS—compromising photos uploaded for the 2022/23 and 2023/24 yearbooks. Edge Imaging clarified that only raw photo files were accessed, with no accompanying identifying information such as student names, school names, grades, or captions. However, metadata like geo-location data may have been present in some photos depending on the originating device, though Edge Imaging’s own camera-captured images lacked such metadata. On February 8, Edge Imaging reported the incident to the FBI due to Entourage’s New Jersey jurisdiction and began notifying school board privacy officers and yearbook advisors to disseminate information to their communities. By February 15, Edge Imaging had notified federal and provincial Canadian privacy commissioners, formalizing regulatory disclosures.
Entourage initiated containment measures by taking the affected AWS server offline, rotating all compromised credentials, and revoking developer access to the Canadian environment. The company engaged cybersecurity advisors to negotiate with the threat actors, culminating in the recovery of all Canadian photo files by February 29, 2024, alongside a commitment from the attackers that the files were deleted and not distributed. Edge Imaging supplemented this by contracting web monitoring services to detect potential leaks of the photos online. Entourage also commissioned third-party security audits and implemented code and network security enhancements to prevent recurrence. The incident necessitated the re-uploading of all yearbook photos by affected schools, with Edge Imaging coordinating directly with yearbook advisors to rebuild compromised projects. No evidence indicated access to Entourage’s broader database of page templates, text, or student information, nor was Edge Imaging’s internal IT infrastructure breached. The breach’s scope was confined to the 24-month period during which Edge Imaging utilized Creator Studio Pro, impacting photos stored exclusively within the targeted container. Edge Imaging maintained a dedicated webpage for updates until August 2024, directing inquiries to its privacy officer while emphasizing the incident’s isolation to Entourage’s systems.