- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
FTC Accuses CafePress of Data Breach
The Federal Trade Commission (FTC) is acting against e-commerce platform CafePress for allegedly failing to secure consumers’ sensitive data and covering up a “major breach.”
In a complaint filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC accused CafePress of neglecting to implement reasonable security measures to protect sensitive information stored on its network.
“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
“These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”
The complaint accuses CafePress of storing Social Security numbers in plain text and not going far enough to protect inadequately encrypted passwords belonging to the buyers and sellers who used its platform.
“In addition to storing Social Security numbers and password reset answers in clear, readable text, CafePress retained the data longer than was necessary,” said the FTC.
“The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents, the complaint alleged.”
When investigating the data security practices of CafePress, the FTC found that the company’s IT network had been breached multiple times. Notably, in February 2019, a hacker gained access to millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates.
It is also alleged that CafePress misled users by using consumer email addresses for marketing purposes despite promising that the addressed would only be used to complete orders consumers had placed.
As part of the proposed settlement, Residual Pumpkin will be required to pay $500k in redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was compromised due to CafePress’s data breaches and tell them how they can protect themselves from identity theft.
