2 min read

FTC Proposed Settlement Requires CafePress to Pay $500,000 to 2019 Data Breach Victims

Alina BÎZGĂ

March 16, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
FTC Proposed Settlement Requires CafePress to Pay $500,000 to 2019 Data Breach Victims

On March 15, the US Federal Trade Commission (FTC) announced it will take action against CafePress, a popular custom-retail shop, for failing to secure customer information, and for allegedly covering up a major data breach that impacted over 20 million users in 2019.

“The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions,” the agency said.

In the proposed Order, the FTC requires both former owner Residual Pumpkin and PlanetArt, which has owned it since 2020, to address the security mishaps that led to the data breaches at CafePress, including:

  • replacing inadequate authentication measures, such as replacing security questions with multi-factor authentication methods
  • minimizing data collection and retention
  • encrypting Social Security numbers

Additionally, the proposed settlement requires Residual Pumpkin to pay half a million dollars to victims of the data breaches.

“PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves,” the FTC added. “Both companies will be required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.”

Overview of CafePress 2019 data breach

In February 2019, criminals gained access to CafePress servers and to exfiltrated the data of over 23 million users.

A portion of the stolen information was also up for sale on the dark web. It included:

  • millions of email addresses and passwords with weak encryption
  • unencrypted names alongside security questions and answers
  • partial payment card numbers with expiration dates
  • over 180,000 unencrypted Social Security numbers.

The FTC says that, despite CafePress being notified a month later that hackers had obtained consumer data via a security vulnerability, the company “failed to properly investigate the breach for several months despite additional warnings.”

“This included a warning in April 2019 from a foreign government, which notified the company that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers,” the FTC explained. “The company, however, withheld this essential information, and instead only told customers to reset their passwords as part of an update to its password policy.”

Are you the victim of a data breach? Find out now with Bitdefender Digital Identity Protection, a dedicated privacy-focused tool that continuously scours the public and dark web for any data leaks that may put your identity and financial security at risk.

You can also find and delete old accounts, immediately respond to data breaches with 24/7 dark web monitoring and sniff out social media doppelgangers who can ruin your online reputation.

For every revealed data entry, privacy risk or data breach, you get one-click action items that let you close off any security risks by immediately changing compromised passwords or adjusting privacy settings on all of your accounts.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Parents’ Credit Card Info Stolen in Australian High School Hack Parents’ Credit Card Info Stolen in Australian High School Hack
Alina BÎZGĂ

January 31, 2023

1 min read
Data breaches affected over 422 million people in 2022, Identity Theft Resource Center says Data breaches affected over 422 million people in 2022, Identity Theft Resource Center says
Alina BÎZGĂ

January 30, 2023

2 min read
Dutch hacker arrested for allegedly selling data of 9.1 million Austrian citizens Dutch hacker arrested for allegedly selling data of 9.1 million Austrian citizens
Alina BÎZGĂ

January 27, 2023

2 min read