DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

FTC Takes Action Against CafePress for Data Breach Cover Up and Poor Security

Posted on March 15, 2022 by Dissent

The FTC has taken enforcement action against CafePress stemming, in part from a 2019 data breach previously reported on this site. In December, 2020, seven states settled charges with CafePress.


The Federal Trade Commission today took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach. The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions. The Commission’s proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.

“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”

In a complaint filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged that CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network. In addition to storing Social Security numbers and password reset answers in clear, readable text, CafePress retained the data longer than was necessary. The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents, the complaint alleged. As a result of its shoddy security practices, CafePress’ network was breached multiple times.

According to the complaint, a hacker exploited the company’s security failures in February 2019 to access millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates. Some of the information was later found for sale on the Dark Web.

After being notified a month later that it had a security vulnerability and that hackers had obtained consumer data, CafePress patched the vulnerability but failed to properly investigate the breach for several months despite additional warnings, the complaint alleged. This included a warning in April 2019 from a foreign government, which notified the company that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers. The company, however, withheld this essential information, and instead only told customers to reset their passwords as part of an update to its password policy.

The complaint alleges CafePress did not inform affected customers until September 2019—one month after the breach was reported widely. The company’s lax security practices, however, still left many consumers at risk. For example, the company continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses—the same information that had been previously stolen by hackers.

According to the complaint, CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress determined that certain accounts of shopkeepers had been hacked, CafePress closed the accounts and charged the victims a $25 account closure fee. The company also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.

In addition to its security failures, the FTC alleged the company misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.

As part of the proposed settlement, Residual Pumpkin and PlanetArt will be required to implement comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This includes replacing inadequate authentication measures such as security questions with multi-factor authentication methods; minimizing the amount of data they collect and retain; and encrypting Social Security numbers.

In addition, the proposed settlement requires Residual Pumpkin to pay $500,000 in redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves. Both companies will be required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

The Commission voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with the companies.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

The Federal Trade Commission works to promote competition and to protect and educate consumers. You can learn more about consumer topics and report scams, fraud, and bad business practices online at ReportFraud.ftc.gov. Like the FTC on Facebook, follow us on Twitter, get consumer alerts, read our blogs, and subscribe to press releases for the latest FTC news and resources.

Source: Federal Trade Commission

Category: Business SectorCommentaries and AnalysesOf NoteU.S.

Post navigation

← East Tennessee Children’s Hospital Statement on Security Issue
Sg: 26 months’ jail for man who stalked SMU peer, hacked email accounts, leaked others’ sex videos →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.