FTC settlement requires CafePress owners to pay $500,000 to victims of 2019 data breach

The commission accused the company of covering up the hack.
(Getty Images)

The Federal Trade Commission is requiring customized merchandise platform CafePress to pay victims of a 2019 data breach $500,000 in redress.

The regulator accused the company of inadequately securing user data and ignoring known security threats, failures which led to a February 2019 breach in which a hacker accessed millions of email addresses and passwords. The hacker used the stolen credentials to find 180,000 unencrypted Social Security numbers. Some of the information was later found on the dark web.

According to the complaint, the company quietly patched the vulnerability but did not notify customers until a month after the breach was publicly reported in August 2019. The company continued to allow consumers to use information exposed in the hack to login to user accounts.

The 2019 breach was not the first cybersecurity incident the company hid from customers, the FTC alleges. In January 2018, CafePress charged shopkeepers whose accounts the company determined to be compromised $25 to close their accounts.


“The company also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks,” according to the complaint.

“CafePress employed careless security practices and concealed multiple breaches from consumers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said Tuesday in a news release announcing the fine. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”

Terms of the settlement include that the company replace inadequate authentication measures such as security questions with multi-factor authentication. The complaint also alleges CafePress “misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.”

The settlement names Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020.

Seven states attorneys general led by New York reached a $2 million agreement with CafePress in 2020 over the 2018 breach. The agreement included voluntary compliance with new security measures.


CafePress did not immediately respond to a request for comment.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts