FTC Accuses CafePress of Data Breach "Cover-Up"

The Federal Trade Commission (FTC) is acting against e-commerce platform CafePress for allegedly failing to secure consumers’ sensitive data and covering up a “major breach.”

In a complaint filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC accused CafePress of neglecting to implement reasonable security measures to protect sensitive information stored on its network.

“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. 

“These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”

The complaint accuses CafePress of storing Social Security numbers in plain text and not going far enough to protect inadequately encrypted passwords belonging to the buyers and sellers who used its platform. 

“In addition to storing Social Security numbers and password reset answers in clear, readable text, CafePress retained the data longer than was necessary,” said the FTC. 

“The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents, the complaint alleged.”

When investigating the data security practices of CafePress, the FTC found that the company’s IT network had been breached multiple times. Notably, in February 2019, a hacker gained access to millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates.

It is also alleged that CafePress misled users by using consumer email addresses for marketing purposes despite promising that the addressed would only be used to complete orders consumers had placed.

As part of the proposed settlement, Residual Pumpkin will be required to pay $500k in redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was compromised due to CafePress’s data breaches and tell them how they can protect themselves from identity theft.

What’s Hot on Infosecurity Magazine?