Leading online gift shop CafePress is the target of a proposed national class-action lawsuit in the United States after allegedly failing to update its security software and taking months to inform customers of a data breach.
The retailer was heavily criticized earlier this year for its poor cybersecurity and incident response after it emerged that 23 million customers had their personal data stolen in a breach that is thought to have occurred in February 2019.
Third-party consumer sites, including weleakinfo.com and haveibeenpwnd.com, were independently warning consumers of the breach as early as July 13, 2019, but the incident was not officially reported by CafePress to their customers until last week.
Data exposed by the breach included email addresses, names, physical addresses, phone numbers, and passwords stored as SHA-1 hashes.
The suit has been filed by consumer-rights law firm FeganScott, which alleges that CafePress failed to employ best practices when alerting customers of the data breach. According to the complaint, CafePress’ first notifications appeared on its website on September 5, but the company did not directly notify its customers until October 2, 2019.
"As galling as it is to know that a national retailer like CafePress failed in its duty to safeguard consumer information, it is reprehensible that they knew—or should have known—about the breach and failed to warn their customers that their credit card information and Social Security numbers could be for sale to the highest bidder on the dark web," said Beth Fegan, a founder of FeganScott.
It is further alleged that CafePress failed to offer adequate protection to its customers by neglecting to update security software that was widely known to be flawed.
"CafePress allegedly relied on Secure Hash Algorithm 1 (SHA-1) as the lynchpin of its data security," said Fegan. "Hackers and security experts know that SHA-1 has been useless in protecting data since about 2005. These days, SHA-1 is the digital equivalent of a picket fence when it comes to keeping the wolves from the sheep."
The suit, filed today in US District Court in Illinois, seeks to represent all US consumers who were impacted by the breach. Consumers who are interested in learning more about this class-action suit can contact cafepress@feganscott.com.