Ex CafePress owner fined $500,000 for 'shoddy' security, covering up data breach

When victim accounts were closed after being hacked in one incident, CafePress went so far as to charge them a $25 fee.
Written by Charlie Osborne, Contributing Writer

CafePress's past owner has been fined $500,000 over a litany of security failures and data breaches. 

CafePress is a US platform offering print-on-demand products including clothing, home decor, and kitchenware. Sellers can sign up to the platform, upload their designs, and CafePress takes a cut of any sales made. 

These businesses require key financial information from sellers and purchasers to operate, and as such, they are expected to securely manage this information and handle transactions with security in mind. 

However, CafePress became the subject of a US Federal Trade Commission (FTC) investigation surrounding how it handled security -- and how the firm allegedly "failed to secure consumers' sensitive personal data and covered up a major breach."

On March 15, the US regulator said that Residual Pumpkin is required to pay $500,000 in damages. According to the FTC's complaint (.PDF), issued against the platform's former owner Residual Pumpkin Entity, LLC, and its current owner PlanetArt, LLC, there was a lack of "reasonable security measures" to prevent data breaches.  

In addition, the FTC claims that CafePress kept user data for longer than necessary, stored personally identifiable information (PII) including Social Security numbers and password reset answers in cleartext, and did not patch against known system vulnerabilities. 

"As a result of its shoddy security practices, CafePress' network was breached multiple times," the FTC says. 

CafePress experienced a major security incident in 2019. An attacker infiltrated the platform in February 2019 and was able to access data belonging to millions of users. 

This included email addresses, poorly-encrypted passwords, names, home addresses, security questions and answers, some partial card payment records, phone numbers, and at least 180,000 unencrypted Social Security numbers. 

The datasets, some of which were then sold online, were added to Troy Hunt's HaveiBeenPwned search engine in August 2019. 

According to the FTC, CafePress was notified a month after the breach and did patch the security flaw -- but did not investigate the breach properly "for several months." 

Customers were also not told. Instead, CafePress implemented a forced password reset as part of its "policy" and only informed users in September 2019, once the data breach had been publicly reported. 

In a separate case in 2018, CafePress allegedly was made aware of shops being compromised. These accounts were closed -- and the shopkeepers, the victims, were then charged $25 account closure fees. 

The FTC also claims that the company "misled" users by using consumer email addresses for marketing, despite promises to the contrary. 

While Residual Pumpkin will bear the cost of the order, PlanetArt is also required to notify consumers who were impacted by CafePress security incidents. 

In addition, both companies will have to hire third-party experts to perform security audits and must redress any existing security issues -- including replacing security questions with multi-factor authentication (MFA) processes, encrypting Social Security numbers, and tightening up their data storage and retention practices. 

"CafePress employed careless security practices and concealed multiple breaches from consumers," commented Samuel Levine, Director of the FTC's Bureau of Consumer Protection. "These orders dial-up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information."

The agreement is subject to public comment before being made final. 

Update 14.58 GMT: CafePress told ZDNet: 

"The data breach occurred well before PlanetArt bought the CafePress brand and happened under the technology leadership of the brand's prior owner. PlanetArt was happy to agree to the FTC's request that PlanetArt also become obligated to the FTC's settlement with the prior owner, as it comports with the priority PlanetArt has always placed on cybersecurity specifically and, more generally, on consumer protection."

Clarification 10.32amGMT: ZDNet has corrected the penalty amount to $500,000. ZDNet regrets the error. 

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards