The Federal Trade Commission (FTC) said it will require the former owner of online retailer CafePress to pay $500,000 to compensate small businesses after the company allegedly covered up a major data breach and failed to secure customers’ sensitive data.
In a February 2019 data breach of CafePress, an attacker accessed the customer and seller information of approximately 22 million consumers. That included more than 180,000 unencrypted social security numbers, millions of email addresses and passwords with weak encryption, millions of unencrypted names and physical addresses and tens of thousands of partial payment card numbers and expiration dates. Some of this data was later found for sale on underground forums.
The breach raised questions over how CafePress had initially protected customers’ data and how it responded to the security incident. The FTC alleged that CafePress failed to implement “reasonable security measures” to protect the data of the buyers and sellers on its network and “as a result of its shoddy security practices, CafePress’ network was breached multiple times.”
“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”
For instance, the FTC said that CafePress stored social security numbers and password reset answers in clear, readable text. It also retained data longer than was necessary, and did not put protections in place that would protect against well-known vulnerabilities like Structured Query Language (SQL) injection attacks. Even before the breach, the company was aware of issues with its data security; for instance, in 2018, when the company found out that accounts of certain shopkeepers had been hacked, it closed the accounts and charged the victims a $25 account closure fee.
After being notified a month after the breach that CafePress had a security vulnerability, the company patched the flaw but failed to properly investigate the breach for several months despite several warnings, the FTC’s complaint alleged. For instance, a foreign government in April 2019 put the company on alert that a hacker had illegally obtained customer account data.
"The facts are pretty bad, and this was an easy case for the FTC to go after."
CafePress also did not inform impacted customers until September 2019, one month after the breach was reported widely. Even then, the company allegedly did not bolster its security practices, allowing people to reset passwords with security questions associated with email addresses, all of which had been previously stolen by the attackers.
“The facts are pretty bad, and this was an easy case for the FTC to go after,” said Ben Rossen, special counsel with Baker Botts. “There was a laundry list of basic security failures. The breach was a bad one. There was actual evidence that hackers had stolen the data, while with other incidents there’s sometimes no such evidence.”
As part of the proposed settlement, CafePress’ former owner, Residual Pumpkin Entity, and current owner, PlanetArt (which bought CafePress in 2020), will be required to implement more comprehensive security programs, including implementing multi-factor authentication methods, encrypting social security numbers and minimizing the data collected. Residual Pumpkin Entity will be required to pay $500,000 in redress to the victims of the data breaches, while PlanetArt will need to notify customers whose personal data was accessed during the breaches. CafePress reached a previous $2 million settlement with seven state attorneys general (led by New York Attorney General Letitia James) in 2020.
Rossen, who is a former senior attorney at the FTC with experience handling high-profile privacy and data security investigations, said that the order - one of the first data security settlements under Lina Khan’s administration since she was sworn in as the FTC Chair in June 2021 - is mostly consistent with how the FTC has handled similar cases in the past. However, Rossen said, it does include a few “nuances we haven’t seen elsewhere.”
For instance, the order bans CafePress from authenticating users through security questions and instead requires multi-factor authentication. It also requires CafePress to establish data minimization policies going forward, which is a “bit unusual” for an order, said Rossen.
“The call out about multi-factor authentication is new, and we haven’t seen it in an order before. [Khan] is trying to put her stamp on this order and move the ball forward a little bit,” said Rossen.