The U.S. Federal Commerce Fee has proposed a settlement that may superb the previous proprietor of U.S. customized clothes and merchandise retailer CafePress $500,000 for trying to cowl up a 2019 knowledge breach that uncovered the delicate knowledge of thousands and thousands of customers.
Hackers breached CafePress’ servers in February 2019 and subsequently printed the non-public data of greater than 23 million customers on recognized cybercrime boards. This included thousands and thousands of e-mail addresses and passwords, unencrypted names, bodily addresses, safety questions and solutions, and greater than 180,000 unencrypted Social Safety numbers.
In a grievance filed in opposition to former CafePress proprietor Residual Pumpkin Entity and present proprietor PlanetArt, the FTC stated the corporate didn’t disclose the information breach till September 2019, a month after it was extensively reported within the media. Whereas CafePress had patched the vulnerability utilized by the hackers, the corporate did not correctly examine the incident for a number of months, based on the FTC, and continued to permit customers to make use of the data uncovered within the hack to log into their accounts.
The FTC grievance additionally takes difficulty with the organizations’ “shoddy safety practices,” which included storing clients’ Social Safety numbers and password reset solutions in plaintext and storing person knowledge longer than essential.
CafePress was conscious that it had knowledge safety issues previous to the 2019 knowledge breach, too. Based on FTC’s grievance, the corporate found that some shopkeepers’ accounts had been hacked by means of not less than January 2018, an incident which led to CafePress closing the compromised accounts and charging the homeowners a $25 account closure payment.
The corporate’s community was additionally hit by a number of malware infections earlier than the 2019 safety breach, which the corporate did not correctly examine, the FTC stated, and it additionally “misled customers through the use of e-mail addresses for advertising and marketing regardless of its guarantees that such data would solely be used to meet orders customers had positioned.”
“CafePress employed careless safety practices and hid a number of breaches from customers,” stated Samuel Levine, director of the FTC’s Bureau of Shopper Safety. “These orders dial-up accountability for lax safety practices, requiring redress for small companies that had been harmed, and particular controls, like multi-factor authentication, to higher safeguard private data.”
As a part of the settlement, Residual Pumpkin and PlanetArt might be required to roll out complete data safety packages that may handle the issues that led to the information breaches at CafePress. It will embody changing insufficient authentication measures, corresponding to safety questions, with multi-factor authentication strategies, minimizing the quantity of information it collects and retains, and encrypting Social Safety numbers.
Spokespeople for Residual Pumpkin and PlanetArt didn’t reply to requests for remark previous to publication.