FTC Settles with Online Gift Shop CafePress Over Data Breach Cover Up and “Shoddy” Security Practices

An announcement from the Federal Trade Commission (FTC) before the close of last week said that it has resolved a dispute with CafePress, self-described as “the world’s best online gift shop,” concerning multiple data breaches and a subsequent cover up. To make amends, the respondent Residual Pumpkin Entity LLC, the former owner of CafePress, and PlanetArt LLC, which bought CafePress in 2020, agreed to beef up their data security and pay small businesses $500 million for their losses.

The FTC filed the CafePress complaint in March 2022, alleging that the respondents relied on lax security measures, inadequate to protect sensitive information stored on its network like Social Security Numbers. Hackers reportedly accessed CafePress’s networks in February 2019, unearthing millions of email addresses and passwords with weak encryption, millions of names, physical addresses, and security questions and answers, more than 180,000 unencrypted Social Security numbers, and tens of thousands of partial payment card numbers and expiration dates, the FTC said.

Moreover, some of that information was reportedly found to be offered for sale on the dark web.

CafePress later patched the vulnerability but failed to properly investigate the breach for several months despite additional warnings, the complaint said. Worse yet, it withheld essential information and only told customers to reset their passwords as part of an update to its password policy.

The final order requires CafePress to enhance its security practices by implementing multi-factor authentication, minimizing the amount of data it collects and retains, and encrypting Social Security Numbers, among other measures. In addition, Residual Pumpkin is responsible for a $500,000 fine, which will be used to provide redress to data breach victims.