The U.S. Federal Trade Commission has proposed a settlement that will fine the former owner of U.S. custom clothing and merchandise retailer CafePress $500,000 for attempting to cover up a 2019 data breach that exposed the sensitive data of millions of users.
Hackers breached CafePress’ servers in February 2019 and subsequently published the personal information of more than 23 million users on known cybercrime forums. This included millions of email addresses and passwords, unencrypted names, physical addresses, security questions and answers, and more than 180,000 unencrypted Social Security numbers.
In a complaint filed against former CafePress owner Residual Pumpkin Entity and current owner PlanetArt, the FTC said the company didn’t disclose the data breach until September 2019, a month after it was widely reported in the media. While CafePress had patched the vulnerability used by the hackers, the company failed to properly investigate the incident for several months, according to the FTC, and continued to allow consumers to use the information exposed in the hack to log into their accounts.
The FTC complaint also takes issue with the organizations’ “shoddy security practices,” which included storing customers’ Social Security numbers and password reset answers in plaintext and storing user data longer than necessary.
CafePress was aware that it had data security problems prior to the 2019 data breach, too. According to FTC’s complaint, the company discovered that some shopkeepers’ accounts had been hacked through at least January 2018, an incident which led to CafePress closing the compromised accounts and charging the owners a $25 account closure fee.
The company’s network was also hit by several malware infections before the 2019 security breach, which the company failed to properly investigate, the FTC said, and it also “misled users by using email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.”
“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “These orders dial-up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”
As part of the settlement, Residual Pumpkin and PlanetArt will be required to roll out comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This will include replacing inadequate authentication measures, such as security questions, with multi-factor authentication methods, minimizing the amount of data it collects and retains, and encrypting Social Security numbers.
Spokespeople for Residual Pumpkin and PlanetArt did not respond to requests for comment prior to publication.