- The Samsung Galaxy S25 Edge was sneakily the best announcement at Unpacked 2025
- Samsung Galaxy S25 Ultra is losing this creative S Pen feature - but you likely won't notice
- What Intel needs to do to get its mojo back
- Optimizing AI Workloads with NVIDA GPUs, Time Slicing, and Karpenter (Part 2)
- Stratoshark brings Wireshark-style analysis to cloud system calls
FTC Accuses CafePress of Data Breach
The Federal Trade Commission (FTC) is acting against e-commerce platform CafePress for allegedly failing to secure consumers’ sensitive data and covering up a “major breach.”
In a complaint filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC accused CafePress of neglecting to implement reasonable security measures to protect sensitive information stored on its network.
“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
“These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”
The complaint accuses CafePress of storing Social Security numbers in plain text and not going far enough to protect inadequately encrypted passwords belonging to the buyers and sellers who used its platform.
“In addition to storing Social Security numbers and password reset answers in clear, readable text, CafePress retained the data longer than was necessary,” said the FTC.
“The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents, the complaint alleged.”
When investigating the data security practices of CafePress, the FTC found that the company’s IT network had been breached multiple times. Notably, in February 2019, a hacker gained access to millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates.
It is also alleged that CafePress misled users by using consumer email addresses for marketing purposes despite promising that the addressed would only be used to complete orders consumers had placed.
As part of the proposed settlement, Residual Pumpkin will be required to pay $500k in redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was compromised due to CafePress’s data breaches and tell them how they can protect themselves from identity theft.
