March 16, 2022
FTC Takes Action Against CafePress for Alleged Data Breaches, Cover-Ups
The FTC said CafePress’ lax cybersecurity led to hackings that exposed customers. The online merch retailer then allegedly failed to adequately address the issues and neglected to notify victims expediently.
After hackers infiltrated its clients’ online storefront profiles for selling custom merchandise, CafePress closed the accounts and charged the shopkeepers a $25 closure fee, authorities say.
It’s just one detail of alleged shoddy dealings related to cybersecurity and reported data breach cover-ups that have landed CafePress in hot water with the Federal Trade Commission (FTC).
The FTC announced on March 15 that it’s taking action against CafePress because the company failed to apply reasonable security measures to protect sensitive information on its network.
The action centers on a proposed settlement order that requires the company to beef up its data security. It also mandates that former owner Residual Pumpkin Entity, LLC, pay $500,000 in redress to data breach victims.
“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”
CafePress is a web-based retailer of a wide array of stock and user-customized/personalized products that range from mugs and mobile phone accessories to apparel and totes.
As part of its alleged cybersecurity problems, the company housed plain-text social security numbers of customers and inadequately encrypted passwords, investigators said.
CafePress’ failure to apply proper protections led to multiple breaches that were followed by inadequate security responses and covers-ups, authorities alleged.
In February 2019, for example, hackers capitalized on the weak cybersecurity stance and penetrated CafePress’ system, an infiltration that afforded the digital criminals access to millions of email addresses and passwords with weak encryption.
The breach also opened the door to the thieves for millions of unencrypted names, physical addresses, and security questions and answers, as well as more than 180,000 unencrypted social security numbers. Additionally, tens of thousands of partial payment card numbers and expiration dates came within the hackers’ grasp. Some information later was found for sale on the dark web, investigators found.
Here are 7 tips (in under 60 seconds) on how to enhance your cybersecurity. #cybersecurity #ransomware #ASIMedia #promoproductshttps://t.co/UEYNVbPmBv pic.twitter.com/gvAlE0MW7s
— Theresa Hegel (@TheresaHegel) June 4, 2021
After being notified about the hack, CafePress patched the vulnerability but failed to properly investigate the breach for several months despite additional warnings, according to the FTC.
“This included a warning in April 2019 from a foreign government, which notified the company that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers,” the FTC said. “The company, however, withheld this essential information, and instead only told customers to reset their passwords as part of an update to its password policy.”
CafePress only told customers about the February 2019 breach in September of that year, after it was widely reported, authorities said. Even so, customers were still at risk due to continued limpid security practices.
“For example, the company continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses – the same information that had been previously stolen by hackers,” the FTC noted.
Prior to the 2019 hack, CafePress experienced what investigators described as multiple malware infections of its network. Still, the company allegedly didn’t bother to investigate the source of the attacks. The hack of CafePress shopkeeper accounts occurred in 2018. The shops are online storefronts from which CafePress customers can retail brandable merch.
In addition to its security failures, CafePress misled users by using consumer email addresses for marketing despite its promises that such information would only be for fulfilling orders consumers had placed.
Authorities are warning private sector companies to be on high alert for increased #cyberattacks from Russia-backed hackers. #Promoproducts companies should be taking action to bolster their cybersecurity position. https://t.co/Mqm6DOIKhr @asicentral @ASI_MBell @Tim_Andrews_ASI
— Chris Ruvo (@ChrisR_ASI) February 23, 2022
PlanetArt LLC bought CafePress from Residual Pumpkin in 2020. In an email to Reuters, PlanetArt CEO Roger Bloxberg noted that the 2019 breach occurred before PlanetArt owned CafePress. Nonetheless, he said the parent firm is “happy to agree to its role” in the settlement with the FTC.
Beyond the half-million-dollar payout to victims, the settlement orders PlanetArt and Residual Pumpkin to implement comprehensive information security programs that address failings that led to the data breaches at CafePress. It also requires PlanetArt to notify consumers whose personal information was accessed in the hacks and to provide specific information about how the victims can protect themselves.
Additionally, the FTC is ordering that a third party assess the bolstered information security programs of PlanetArt and Residual Pumpkin. The outside analyst will provide the commission with a redacted copy of the assessment, which will be made available to the public.
At this point, the settlement remains proposed. Before the FTC can finalize it, the consent agreement stipulating the terms/orders must be published in the Federal Register and subjected to a 30-day public review/comment period. After that, the FTC takes into account the public feedback before potentially rendering a final decision.
In a separate agreement, CafePress reached a $2 million settlement with seven state attorneys general over the 2019 hacking.