CafePress Was Fined $500,000 Following Major Data Breach
The Company Failed to Prevent a 2019 Cybersecurity Incident that Impacted 23 Million Consumers.
CafePress, Inc. is an American company that operates as an online retailer of both stock and on-demand goods that have been personalized by customers. Although the business was started in San Mateo, California, the company’s current headquarters and manufacturing plant are both located in Louisville, Kentucky. CafePress.com was honored with the People’s Voice Webby Award for Excellence in Commerce in the year 2001.
Customers have the ability to submit their own graphical design, business logo, or text, which the firm will then include into the product. Additionally, print-on-demand services for wall art and stationery are available via CafePress.com. Additionally, the website provides the user the ability to set up their very own “shop” on CafePress, complete with an online storefront, website hosting, order administration, fulfillment, payment processing, and customer care.
The Federal Trade Commission (FTC) of the United States of America has mandated that the former owner of the CafePress t-shirt and merchandise site, Residual Pumpkin Entity, pay a fine in the amount of $500,000 for failing to protect the data of more than 23 million customers and covering up a data breach that affected those customers.
The Federal Trade Commission today took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach. The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions. The Commission’s proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.
“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”
According to the explanation given by the consumer protection watchdog in a complaint that was filed in March 2022, Residual Pumpkin Entity stored the Social Security numbers of its customers as well as the answers to the password reset questions in plain text and for a longer period of time than was required.
In addition, the organization did not implement the available safeguards or react appropriately to any security problems. It attempted to cover up the significant data breach that had occurred as a consequence of the lax security policies that it had implemented after its servers were repeatedly attacked.
The finalized order stipulates that in addition to paying a fine of $500,000, Residual Pumpkin and PlanetArt (the new owner of CAfePress) are required to implement multi-factor authentication, minimize the amount of data that is collected and retained, and encrypt any and all Social Security numbers that are stored.
PlanetArt was also required to notify customers and sellers whose personal information was accessed or stolen during the security breaches and to offer these buyers and sellers advice on how they may protect themselves from further harm.
As BleepingComputer reported, following a security breach that occurred in February 2019, unknown perpetrators obtained access to, exfiltrated, and subsequently offered for sale on the dark web the personally identifiable information of 23,205,290 CafePress members. This information included the following details:
- millions of email addresses and passwords with weak encryption;
- millions of unencrypted names, physical addresses, and security questions and answers;
- more than 180,000 unencrypted Social Security numbers;
- and tens of thousands of partial payment card numbers and expiration dates.
CafePress is not the only one that got recently fined as, following four security breaches that occurred between 2019 and 2021, which exposed substantial amounts of sensitive customer data, a regulator from the state of New York on Friday levied a fine of $5 million against the cruise line operator Carnival Corp (CCL.N) for “significant” violations of cybersecurity regulations.
According to the Department of Financial Services of the state of New York, Carnival broke a state statute regarding cybersecurity when it failed to employ multi-factor authentication, which would have made it more difficult for dishonest individuals to access the company’s internal network.
If you enjoyed this article, you can drop a comment below and let us know how you feel about it. Don’t forget to follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram to keep up to date with everything we post!