- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
CafePress Fined $500,000 After Massive Data Breach
A leading US regulator has fined CafePress half a million dollars following a 2019 data breach that impacted 23 million customers.
Consumer rights agency the FTC argued in its finalized order that the online merchandise site failed to implement reasonable security measures to protect the info of buyers and sellers and that it even tried to cover up the breach.
Directed at previous owner Residual Pumpkin Entity and current owner PlanetArt, which bought CafePress in 2020, an FTC complaint alleged several key security failings.
Social Security numbers and password reset answers were stored in plain text, data was retained longer than necessary and preventative and adequate detection and response technologies were not deployed, it alleged.
Residual Pumpkin entity must now pay the $500,000 fine to compensate victims of the breach, while PlanetArt has been ordered to notify all breach victims and provide information on how consumers can protect themselves.
The two companies were also ordered to implement “comprehensive information security programs” that will require them to:
- Roll-out multifactor authentication
- Minimize the amount of data they collect and retain
- Encrypt Social Security numbers
- Share a third-party assessment of their new information security programs with the FTC
The breach itself was first publicized in August 2019, although it took a further month before CafePress started informing affected customers.
According to breach notification site HaveIBeenPwned, hackers stole 23 million unique email addresses, names, physical addresses, phone numbers and passwords stored as SHA-1 hashes.
Following the incident, users were forced to change their logins but were told this was due to a password policy ‘update’ rather than a breach.
The FTC’s order was approved by a unanimous 5-0 vote.