The US Federal Trade Commission has proposed a settlement that would fine the former owner of U.S. clothing and merchandise retailer CafePress $500,000 for covering up a 2019 data breach that exposed millions of users’ sensitive data.
In February 2019, hackers hacked the CafePress servers and then posted the personal information of over 23 million users on a well-known cybercrime forum. This includes millions of email addresses and passwords, clear names, physical addresses, security questions and answers, and over 180,000 unencrypted social security numbers.
In a complaint filed against Residual Pumpkin Unit, former owner of CafePress, and current owner of PlanetArt, the FTC says the company did not disclose the data breach until September 2019, a month after it was widely reported in the media. Although CafePress fixed the vulnerability exploited by the hackers, the company failed to properly investigate the incident for several months, according to the FTC, and continued to allow consumers access to information exposed in the hack.
The FTC complaint also concerns “careless security practices” by organizations, including keeping customers’ social security numbers and password recovery responses in plain text and keeping user data longer than necessary.
CafePress knew it also had data security issues prior to the 2019 data breach. According to the FTC complaint, the company discovered that the accounts of some retailers had been hacked as early as January 2018, and the incident resulted in CafePress closing the hacked accounts and charging owners $25.
The company’s network suffered a string of malware infections prior to a 2019 security breach that the company failed to properly investigate, says the FTC, and conducted “marketing despite promises to only use such information.” to “fulfill orders placed by consumers. ,
“CafePress used reckless security practices and hid many breaches from consumers,” said Samuel Levine, director of the FTC Consumer Protection Bureau. “These injunctions call for accountability for poor security practices, requiring damages to small businesses that are harmed and specific controls, such as multi-factor authentication, to better protect personal information.”
As part of the settlement, Residual Pumpkin and PlanetArt are to launch a comprehensive information security program to address the issues that led to the CafePress data breach. This includes replacing insufficient authentication measures such as security questions with multi-factor authentication methods, reducing the amount of data stored and stored, and encrypting social security numbers.
Representatives for Residual Pumpkin and PlanetArt did not respond to requests for comment prior to publication.