Jump to content

CafePress faces $500,000 fine for data breach cover up


David H. Lipman
 Share

Recommended Posts

CafePress faces $500,000 fine for data breach cover up

Quote

Posted: March 16, 2022 by Pieter Arntz

The US Federal Trade Commission (FTC) has announced that it took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach.

CafePress is a popular online custom T-shirt and merchandise retailer. According to Samuel Levine, Director of the FTC’s Bureau of Consumer Protection:

“CafePress employed careless security practices and concealed multiple breaches from consumers.”

CafePress waited seven months to publicly disclose a 2019 breach, and only did so after it had been reported in the news.

The FTC complaint also takes issue with the way CafePress handled customer information, saying that CafePress “misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.” This is considered an unfair and deceptive practice under Section 5 of the FTC Act.

The breach

In February 2019, a threat actor was able to access millions of email addresses and passwords. According to the complaint by the FTC this was made possible because CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network.

The passwords are said to have been protected by “weak encryption”, an absolute security no-no. Passwords that are secured using a properly configured password hashing function—such as bcrypt or scrypt—take so long to crack that they are essentially useless to attackers, even if they are leaked.

Leaked email addresses and passwords are a serious problem because many people re-use their passwords across multiple websites and services. Cybercriminals know this and will try stolen usernames and passwords in as many different places as they can—a practice known as credential stuffing.

The threat actor also captured millions of unencrypted names, physical addresses, and security questions and answers. As well as over 180,000 unencrypted Social Security Numbers (SSNs), along with tens of thousands of partial payment card numbers (last 4 digits) and expiration dates. A treasure trove for social engineers.

Informing customers

Despite warnings from several sides, including a foreign government, CafePress decided not to inform its customers, but instead only told customers to reset their passwords as part of an update to its password policy. CafePress apparently patched the vulnerability the cybercriminals made use of, but failed to properly investigate the breach for several months despite additional warnings.

Data from the breach eventually ended up in Troy Hunt’s HaveIBeenPwnd (HIBP) database, which tipped off journalists. It wasn’t until news of the breach was reported in the press that CafePress actually informed its customers.

Lax security

In the complaint the FTC mentions several cases of bad security practices, before and after the breach. According to the FTC, CafePress…

  • Failed to investigate the source of several malware infections that occurred on its network prior to the 2019 attack.
  • Failed to implement reasonable security measures to protect the sensitive information of buyers and sellers.
  • Stored SSNs and password reset answers in clear text, alongside millions of unencrypted names and physical addresses.
  • Retained customers’ data longer than was necessary.
  • Failed to apply readily available protections against well-known threats and to adequately respond to security incidents.
  • Continued to allow people to reset their passwords by answering security questions known to the attackers.

As a result of its lax security practices, it should not come as a surprise that CafePress’ network was breached multiple times.

Proposed settlement

As part of the proposed settlement, Residual Pumpkin and PlanetArt (the previous and current owners of CafePress) will be required to implement comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This includes replacing inadequate authentication measures—such as security questions—with multi-factor authentication methods, minimizing the amount of data it collects and retains, and encrypting SSNs.

PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves. Both companies will be required to have a third-party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

In addition, Residual Pumpkin will have to make a $500,000 payment to data breach victims, the FTC said in the statement. CafePress has already settled with seven US states as a result of this data breach.

Reusing passwords

We have warned users often against reusing passwords across different services. This case is a prime example that shows why this is important. Users were left in the dark about their compromised passwords for several months. This gave the criminals behind the breach plenty of time to perform credential stuffing attacks on other services.

Since shopping services usually store credit card details and people’s home addresses alongside login credentials, there is no reason to treat these accounts as if they have a lower security priority. On the contrary, it could turn out to be a costly mistake. Use a password manager to make it easier to create and use strong, unique passwords for each service you use.

 

FTC Takes Action Against CafePress for Data Breach Cover Up

Quote

The Federal Trade Commission today took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach. The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions. The Commission’s proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.

“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”

In a complaint filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged that CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network. In addition to storing Social Security numbers and password reset answers in clear, readable text, CafePress retained the data longer than was necessary. The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents, the complaint alleged. As a result of its shoddy security practices, CafePress’ network was breached multiple times.

According to the complaint, a hacker exploited the company’s security failures in February 2019 to access millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates. Some of the information was later found for sale on the Dark Web.

After being notified a month later that it had a security vulnerability and that hackers had obtained consumer data, CafePress patched the vulnerability but failed to properly investigate the breach for several months despite additional warnings, the complaint alleged. This included a warning in April 2019 from a foreign government, which notified the company that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers. The company, however, withheld this essential information, and instead only told customers to reset their passwords as part of an update to its password policy.

The complaint alleges CafePress did not inform affected customers until September 2019—one month after the breach was reported widely. The company’s lax security practices, however, still left many consumers at risk. For example, the company continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses—the same information that had been previously stolen by hackers.

According to the complaint, CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress determined that certain accounts of shopkeepers had been hacked, CafePress closed the accounts and charged the victims a $25 account closure fee. The company also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.

In addition to its security failures, the FTC alleged the company misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.

As part of the proposed settlement, Residual Pumpkin and PlanetArt will be required to implement comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This includes replacing inadequate authentication measures such as security questions with multi-factor authentication methods; minimizing the amount of data they collect and retain; and encrypting Social Security numbers.

In addition, the proposed settlement requires Residual Pumpkin to pay $500,000 in redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves. Both companies will be required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

The Commission voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with the companies.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.