FTC Proposed Settlement Requires CafePress to Pay $500,000 to 2019 Data Breach Victims

On March 15, the US Federal Trade Commission (FTC) announced it will take action against CafePress, a popular custom-retail shop, for failing to secure customer information, and for allegedly covering up a major data breach that impacted over 20 million users in 2019.

“The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions,” the agency said.

In the proposed Order, the FTC requires both former owner Residual Pumpkin and PlanetArt, which has owned it since 2020, to address the security mishaps that led to the data breaches at CafePress, including:

• replacing inadequate authentication measures, such as replacing security questions with multi-factor authentication methods
• minimizing data collection and retention
• encrypting Social Security numbers

Additionally, the proposed settlement requires Residual Pumpkin to pay half a million dollars to victims of the data breaches.

“PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves,” the FTC added. “Both companies will be required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.”

Overview of CafePress 2019 data breach

In February 2019, criminals gained access to CafePress servers and to exfiltrated the data of over 23 million users.

A portion of the stolen information was also up for sale on the dark web. It included:

• millions of email addresses and passwords with weak encryption
• unencrypted names alongside security questions and answers
• partial payment card numbers with expiration dates
• over 180,000 unencrypted Social Security numbers.

The FTC says that, despite CafePress being notified a month later that hackers had obtained consumer data via a security vulnerability, the company “failed to properly investigate the breach for several months despite additional warnings.”

“This included a warning in April 2019 from a foreign government, which notified the company that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers,” the FTC explained. “The company, however, withheld this essential information, and instead only told customers to reset their passwords as part of an update to its password policy.”

Are you the victim of a data breach? Find out now with Bitdefender Digital Identity Protection, a dedicated privacy-focused tool that continuously scours the public and dark web for any data leaks that may put your identity and financial security at risk.

You can also find and delete old accounts, immediately respond to data breaches with 24/7 dark web monitoring and sniff out social media doppelgangers who can ruin your online reputation.

For every revealed data entry, privacy risk or data breach, you get one-click action items that let you close off any security risks by immediately changing compromised passwords or adjusting privacy settings on all of your accounts.