The Federal Trade Commission (FTC) issued a press release on March 15, 2022, stating that it was taking action against CafePress “over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach” by filing a complaint against Residual Pumpkin Entity, LLC formerly d/b/a/ CafePress and PlanetArt, LLC d/b/a CafePress.
The proposed order and decision would settle the FTC’s complaint against CafePress, which alleged that the respondents “hosted a platform at the website www.cafepress.com, through which consumers nationwide and internationally can purchase customized merchandise,” and “collected sensitive information from users through its website.” According to the complaint, the information was stored on CafePress’ network in clear text, was not reasonably secured, and was compromised by a hacker.
The FTC alleged that CafePress violated the privacy policy on its website and in other communications to consumers when it stated that it uses safeguards to protect personal information, including “the best and most accepted methods and technologies” and “safe and secure Shopping. Guaranteed.”
According to the complaint, respondents “failed to provide reasonable security for the Personal Information stored on its network,” by:
-
storing Social Security numbers and security questions and answers in clear, readable text;
-
failing to use reasonable measures to protect passwords;
-
failing to have a process in place to address security vulnerabilities;
-
failing to implement patch management processes;
-
failing to destroy data no longer needed;
-
failing to have processes to detect intrusions; and
-
failing to reasonably respond to security incidents.
The allegations stem from a security incident in February of 2019 when a hacker exploited the failures listed above and accessed unencrypted information held by CafePress, including consumers’, employees’ and shopkeepers’ email addresses. and passwords, security questions and answers, and “more than 180,000 unencrypted Social Security numbers.” After the compromise, the information was available for sale on the dark web.
Although CafePress received a letter from a foreign government in April of 2019 advising it that the information had been sold to “carders” on the dark web and suggesting that it notify users of the compromised accounts to prevent further fraud, the FTC alleges that CafePress failed to notify the users of the incident and merely requested that users change their passwords.
Meanwhile, the compromise was reported on Twitter and Reddit, consumers notified respondents that their information had been breached and they experienced a “’’spike’ in suspected fraudulent orders.”
According to the complaint, CafePress sent breach notification letters to affected individuals in September of 2019. The FTC further alleges that the February 2019 breach was not the only incident experienced by CafePress. Previous incidents culminated with “an identity thief or thieves us(ing) Personal Information belonging to three Residual Pumpkin employees to try to change the employees’ payroll direct deposit information. Only after the third incident did Residual Pumpkin at last begin an investigation.”
The seven-count complaint alleged unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act by the following acts and practices:
-
data security misrepresentations;
-
response to data security incident misrepresentations;
-
unfair data security practices;
-
data collection and use misrepresentation;
-
misrepresentation relating to Privacy Shield frameworks;
-
misrepresentation relating to deletion of consumer data; and
-
unfair withholding of payable commissions after security breach.
The proposed order and decision seek monetary relief of $500,000 for consumers, requires CafePress to implement an information security program, obtain initial and biennial security program assessments by an independent third party, provide annual certifications to the FTC, and report any security incidents to the FTC within 30 days of discovery, among other things.
The travel of the complaint and proposed order and decision follow a well-known and consistent roadmap of the FTC’s use of Section 5 of the FTC Act to compel companies to use robust data security measures to protect the personal information of consumers.