The U.S. Federal Trade Commission (FTC) has ordered Residual Pumpkin Entity, the former owner of the CafePress t-shirt and merchandise site, to pay a $500,000 fine for covering up a data breach impacting more than 23 million customers and failing to protect their data.
As the consumer protection watchdog explained in a complaint from March 2022, Residual Pumpkin Entity stored its customers’ Social Security numbers and password reset answers in plain text and longer than necessary.
The company also failed to apply available protections and respond to security incidents. After its servers were breached multiple times, it tried to cover up the major data breach resulting from its sloppy security practices.
According to the finalized order, on top of paying a $500,000 fine, Residual Pumpkin and PlanetArt (CAfePress’ new owner) have to implement multi-factor authentication, minimize the amount of collected and retained data, and encrypt all stored Social Security numbers.
PlanetArt was also ordered to alert buyers and sellers whose personal info was accessed or stolen during the security breaches and provide them with information on how they can protect themselves.
February 2019 data breach
After a February 2019 breach of CafePress’ servers, unknown attackers gained access to, exfiltrated, and later put up for sale on the dark web personal information belonging to 23,205,290 CafePress users, including:
- millions of email addresses and passwords with weak encryption;
- millions of unencrypted names, physical addresses, and security questions and answers;
- more than 180,000 unencrypted Social Security numbers;
- and tens of thousands of partial payment card numbers and expiration dates.
CafePress allegedly tried to cover up this massive data breach and didn’t notify any affected individuals until September 2019, one month after BleepingComputer reported the breach. However, some users were made aware of the incident after receiving notifications from Troy Hunt’s Have I Been Pwned service.
At the time, CafePress did not reply when BleepingComputer reached out for more information and did not issue a statement regarding the breach.
The only sign that something was wrong was that its users were forced to reset their password when logging in (with no mention of the data breach).
Failures to investigate attacks and report breaches
CafePress knew that it had data security problems even before the 2019 breach since, according to FTC’s complaint, the company found out that some of its shopkeepers’ accounts had been compromised since at least January 2018.
Instead of informing them of the incidents, CafePress closed their accounts and charged each of them a $25 account closure fee.
Several malware infections also impacted the company’s network before the 2019 security breach, and CafePress, once again, failed to investigate the attacks.
When it announced the complaint in March, the FTC claimed that CafePress “misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.”