Government

FTC settlement requires CafePress owners to pay $500,000 to victims of 2019 data breach

The commission accused the company of covering up the hack.

March 15, 2022

(Getty Images)

The Federal Trade Commission is requiring customized merchandise platform CafePress to pay victims of a 2019 data breach $500,000 in redress.

The regulator accused the company of inadequately securing user data and ignoring known security threats, failures which led to a February 2019 breach in which a hacker accessed millions of email addresses and passwords. The hacker used the stolen credentials to find 180,000 unencrypted Social Security numbers. Some of the information was later found on the dark web.

According to the complaint, the company quietly patched the vulnerability but did not notify customers until a month after the breach was publicly reported in August 2019. The company continued to allow consumers to use information exposed in the hack to login to user accounts.

The 2019 breach was not the first cybersecurity incident the company hid from customers, the FTC alleges. In January 2018, CafePress charged shopkeepers whose accounts the company determined to be compromised $25 to close their accounts.

“The company also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks,” according to the complaint.

“CafePress employed careless security practices and concealed multiple breaches from consumers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said Tuesday in a news release announcing the fine. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”

Terms of the settlement include that the company replace inadequate authentication measures such as security questions with multi-factor authentication. The complaint also alleges CafePress “misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.”

The settlement names Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020.

Seven states attorneys general led by New York reached a $2 million agreement with CafePress in 2020 over the 2018 breach. The agreement included voluntary compliance with new security measures.

CafePress did not immediately respond to a request for comment.

FTC settlement requires CafePress owners to pay $500,000 to victims of 2019 data breach

More Like This

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

With a mysterious surveillance target identified, calls for Congress to change course

Congressional privacy bill looks to rein in data brokers

Top Stories

Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility

‘Large volume’ of data stolen from UN agency after ransomware attack

More Scoops

FTC accuses genetic testing company of exposing sensitive health data

GoodRx will settle claim it shared sensitive health data with advertisers

LastPass breach exposes how US breach notification laws can leave consumers in the lurch

Regulators slam Twitter with $150M fine over using consumer security data for advertising

FTC warns of potential penalties for firms that fail to fix Log4j software flaws

Internet providers fail to inform Americans about how they use sensitive data for advertising, FTC says

FTC proposes first stalkerware ban, promises to toughen stance on abusive apps

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics