The FTC announced yesterday that it has taken actions against CafePress following an alleged data breach and subsequent “cover up.”
The agency claims that CafePress “failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions.” CafePress also allegedly didn’t apply adequate protection following security threats, leading to the breach.
As part of the proposed settlement, CafePress will need to implement information security programs, and former CafePress owner Residual Pumpkin must pay $500,000 to small businesses affected by the data breach.
“CafePress employed careless security practices and concealed multiple breaches from consumers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”
According to the FTC, a hacker circumvented CafePress’s security systems in February 2019 and acquired “millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment are numbers and expiration dates.”
#FutureCybersecurity – cautionary story posted by the US @FTC abt "hackers' exploitation of online retailing platform #CafePress’s security failures to access personal info about millions of CafePress users." Take care where you enter #PII. #TheInfiniteAge https://t.co/moC6JGyvh0
— Don West (@TheInfiniteAge) March 16, 2022
Some of the information the hacker obtained was later found for sale.
CafePress was allegedly notified that March of its cybersecurity issues, leading the company to patch vulnerable points, but it did not investigate the breach for “several months,” despite warnings, and also withheld information about the hack to customers, only telling them to reset passwords as part of an update to policy.
The FTC alleges that CafePress didn’t actually alert affected customers until September 2019, a month after the breach was more widely reported. Also, the company allowed users to reset passwords using the security questions that were accessed in the original hack.
The company also allegedly misled users by using email addresses in marketing efforts, despite telling users that their email addresses would only be used for fulfilling orders.
Until now, things at CafePress had been quiet of late, but the company is only a few years removed from some significant turmoil. In 2018, amid declining sales, CafePress cut staff, including its chief operating officer and two board members, while co-founder and then-CEO Fred Durham slashed his salary.
Snapfish then acquired CafePress for $25 million, but that sale was met with a class-action lawsuit. Current owner PlanetArt acquired the company in 2020. According to Reuters, PlanetArt CEO Roger Bloxberg said the 2019 data breach happened “well before” the company bought CafePress, but was happy to comply with the FTC.
