A leading US regulator has fined CafePress half a million dollars following a 2019 data breach that impacted 23 million customers.
Consumer rights agency the FTC argued in its finalized order that the online merchandise site failed to implement reasonable security measures to protect the info of buyers and sellers and that it even tried to cover up the breach.
Directed at previous owner Residual Pumpkin Entity and current owner PlanetArt, which bought CafePress in 2020, an FTC complaint alleged several key security failings.
Social Security numbers and password reset answers were stored in plain text, data was retained longer than necessary and preventative and adequate detection and response technologies were not deployed, it alleged.
Residual Pumpkin entity must now pay the $500,000 fine to compensate victims of the breach, while PlanetArt has been ordered to notify all breach victims and provide information on how consumers can protect themselves.
The two companies were also ordered to implement “comprehensive information security programs” that will require them to:
- Roll-out multifactor authentication
- Minimize the amount of data they collect and retain
- Encrypt Social Security numbers
- Share a third-party assessment of their new information security programs with the FTC
The breach itself was first publicized in August 2019, although it took a further month before CafePress started informing affected customers.
According to breach notification site HaveIBeenPwned, hackers stole 23 million unique email addresses, names, physical addresses, phone numbers and passwords stored as SHA-1 hashes.
Following the incident, users were forced to change their logins but were told this was due to a password policy ‘update’ rather than a breach.
The FTC’s order was approved by a unanimous 5-0 vote.