The Weekly Breach Breakdown: Slow Grind – CafePress Breach Cover-Up Forces the FTC to Act

• The Federal Trade Commission (FTC) is taking action against a CafePress breach cover-up. The company failed to secure consumers’ sensitive personal information and tell people about their 2019 breach on a timely basis.
• In addition to storing Social Security numbers (SSN) and password reset answers in clear, readable text, CafePress retained the compromised data longer than necessary.
• It is not the first CafePress breach. In 2018, the company discovered some CafePress accounts had been compromised. CafePress closed the accounts but charged the victims a $25 account closure fee.
• The FTC will require CafePress to implement comprehensive information security programs to address the problems that led to the CafePress breaches, and pay $500,000 to victims.
• To learn about recent data compromises, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified. 
• If you believe you are the victim of an identity crime, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.

Slow Grind

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 18, 2022. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. In the 3^rd century, Greek philosopher Sextus Empiricus wrote, “The mills of the gods grind slowly, but they grind small,” referring to the fact that the administration of justice takes a while. More recently, the saying has been updated to a more modern context of “The wheels of justice grind slowly, but they grind exceedingly fine” or the even shorter – “Justice delayed is justice denied.” In this week’s episode, we’re talking about an example of the wheels of justice grinding slowly, but ultimately being served: the CafePress breach cover-up.

FTC Takes Enforcement Action Against CafePress Breach Cover-Up

This week, the Federal Trade Commission (FTC) took enforcement action against CafePress after the company failed to secure consumers’ sensitive personal information and failed to tell people about the CafePress breach on a timely basis. It didn’t just happen once. The company had a history of cyberattacks exploiting poor security.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, was quoted in the news release: “CafePress employed careless security practices and concealed multiple breaches from consumers. These orders dial-up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”

In addition to storing Social Security numbers (SSN) and password reset answers in clear, readable text, CafePress retained the compromised data longer than was necessary. The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents.

The FTC’s complaint outlined how a hacker exploited the company’s security failures in February 2019, accessing millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted SSNs; and tens of thousands of partial payment card numbers and expiration dates. Some of the information was later found for sale on the dark web.

CafePress did inform affected customers in September 2019, but that was one month after CafePress was compromised, and the breach was widely reported. Even then, the company continued to allow password resets using the same information that had been previously stolen by hackers.

CafePress Has Suffered Multiple Data Breaches

The 2019 compromise was not the first data breach at CafePress. In January 2018, the company discovered some CafePress accounts had been compromised. CafePress closed the accounts but charged the victims a $25 account closure fee. The company also experienced several malware infections before the 2019 CafePress breach but failed to investigate the source of the attacks.

What’s Next for CafePress

As part of the FTC settlement, the owners of CafePress will be required to implement comprehensive information security programs to address the problems that led to the CafePress breaches. They will also have to pay $500,000 to victims. The security improvement includes replacing inadequate authentication measures with multi-factor authentication, minimizing the amount of data they collect and retain, encrypting SSNs, and providing the Commission with a copy of third-party security assessments of their information security programs that can be disclosed publicly.

Contact the ITRC

If you want to learn more about protecting your personal or business information, or if you think you have been the victim of an identity crime or compromise, visit our new website at our old web address www.idtheftcenter.org. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday 6 a.m.-5 p.m. PST).  

Thanks again to Experian for supporting the ITRC and this podcast. We’ll be back next week with a new episode of our sister podcast, The Fraudian Slip, with special guest Nuance, and then in two weeks with another episode of the Weekly Breach Breakdown.