Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

FTC Takes Action Against CafePress Over Massive Data Breach, Cover-Up

The Federal Trade Commission (FTC) on Friday announced that it has finalized an order against CafePress, requiring it to improve its security posture following a cybersecurity incident that the company attempted to cover up.

The Federal Trade Commission (FTC) on Friday announced that it has finalized an order against CafePress, requiring it to improve its security posture following a cybersecurity incident that the company attempted to cover up.

CafePress is an online retailer of products such as T-shirts, bags, calendars and mugs, which users can customize with their own graphics designs or texts. It also allows users to have virtual shops on the platform.

The FTC order was finalized roughly four months after a settlement over the poor cybersecurity practices employed by CafePress, which have led to sensitive personal information being compromised in a data breach.

The breach came to light in 2019 and it reportedly impacted 23 million accounts. Despite repeated attempts to get the company to take proper action, CafePress not only failed to secure its systems, but also decided not to inform impacted customers about this and other cybersecurity incidents.

A complaint was filed against former CafePress owner Residual Pumpkin Entity, LLC, and against the current owner, PlanetArt, LLC. The complaint claims that CafePress retained user data longer than needed, stored Social Security numbers in plaintext, failed to secure its systems against known threats, and covered up the 2019 data breach.

On Friday, the FTC announced that, per its finalized order, Residual Pumpkin and PlanetArt are required to improve their security practices through the adoption of multi-factor authentication, to minimize the amount of collected data, and to store Social Security numbers encrypted.

Per the FTC’s order, each of the two companies needs to implement a comprehensive information security program – “that protects the privacy, security, confidentiality, and integrity of such Personal Information” – within 60 days after the issuance of the order.

Advertisement. Scroll to continue reading.

Additionally, both companies are required to have their information security programs assessed by a third-party and to provide the FTC with a copy of the assessment that can be publicly shared.

Furthermore, the FTC ordered Residual Pumpkin to pay $500,000 that will be sent as relief to the victims of the data breach and asked PlanetArt to notify consumers whose personal information was compromised.

The two companies are also required to provide the FTC with an annual certification from a senior corporate manager, detailing both their compliance with the order and a description of any cyber incident that might have occurred during the certified period. All incidents should be reported to the FTC within 30 days.

Related: FTC: Patch Log4j Vulnerability to Avoid Potential Legal Action

Related: FTC Says Zoom Misled Users on Its Security for Meetings

Related: FTC Settles With Canadian Smart Lock Maker Over Security Practices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...