CafePress's Previous Owner Fined $500,000 for 'Shoddy' Security, Covering up Data Breach

ZDNet describes CafePress as "a U.S. platform offering print-on-demand products" like custom t-shirts, hats, and mugs.

"CafePress's past owner has been fined $500,000 over a litany of security failures and data breaches," ZDNet reported this week: CafePress became the subject of a US Federal Trade Commission (FTC) investigation surrounding how it handled security — and how the firm allegedly "failed to secure consumers' sensitive personal data and covered up a major breach." On March 15, the US regulator said that Residual Pumpkin is required to pay $500,000 in damages. According to the FTC's complaint (PDF), issued against the platform's former owner Residual Pumpkin Entity, LLC, and its current owner PlanetArt, LLC, there was a lack of "reasonable security measures" to prevent data breaches.

In addition, the FTC claims that CafePress kept user data for longer than necessary, stored personally identifiable information including Social Security numbers and password reset answers in cleartext, and did not patch against known system vulnerabilities. "As a result of its shoddy security practices, CafePress' network was breached multiple times," the FTC says. CafePress experienced a major security incident in 2019. An attacker infiltrated the platform in February 2019 and was able to access data belonging to millions of users. This included email addresses, poorly-encrypted passwords, names, home addresses, security questions and answers, some partial card payment records, phone numbers, and at least 180,000 unencrypted Social Security numbers....

According to the FTC, CafePress was notified a month after the breach and did patch the security flaw — but did not investigate the breach properly "for several months." Customers were also not told. Instead, CafePress implemented a forced password reset as part of its "policy" and only informed users in September 2019, once the data breach had been publicly reported. In a separate case in 2018, CafePress allegedly was made aware of shops being compromised. These accounts were closed — and the shopkeepers, the victims, were then charged $25 account closure fees.

The FTC also claims that the company "misled" users by using consumer email addresses for marketing, despite promises to the contrary.

Uhh?

[wildstoo]

Why does a merchandise printing company need social security numbers?

Re:

[Rosco P. Coltrane]

The same reason Facebook needs your name and phone number.

Re:

[Jarik C-Bol]

I came to ask the same question. If I was ordering a novelty mug and the company asked for my SSN, I would close my browser entirely, run antivirus and spyware scans, and add the website to the ‘blocked’ on various security services.

Re:

[iggymanz]

If you were a vendor or contractor of them you'd provide your SS number or TIN.

Re:

[Jarik C-Bol]

I find it hard to imagine they have 180,000 vendors and suppliers, but I guess its possible.

Re:

[iggymanz]

They have 2.6 million online shops for others to sell things, the people running those have to supply TIN or SSN. The wonder is that it was only 180K numbers leaked.

Re:

[Jarik C-Bol]

Ah. I forgot that had become part of their business model. I’ve not used them in almost 20 years, and they were mostly just a ‘send us a picture and we’ll print it on things for you’ service at the beginning.

Re:Uhh?

[The Faywood Assassin]

CafePress features on demand merch production, and they handle the payment process as well.

I believe that they send you your portion of the sale, so that has to be reported to the IRS for income purposes.

It may only need to be reported over a certain threshold, but they still may need to report it.

Re:

[omnichad]

1099-K, most likely. Which does require SSN or EIN.

Re:

[cascadingstylesheet]

CafePress features on demand merch production, and they handle the payment process as well.

I believe that they send you your portion of the sale, so that has to be reported to the IRS for income purposes.

It may only need to be reported over a certain threshold, but they still may need to report it.

Exactly. It's the federal government, and to a lesser extent some (most?) state governments, that are the reason we have to hand out SSNs like candy.

Re:

[Zak3056]

Why does a merchandise printing company need social security numbers?

I would assume that it's not for the customers, it's for the vendors who operate out of the site so they can be issued proper documentation for tax purposes. If you're doing business as a sole proprietorship without an LLC or other type of corporation, your tax ID is your SSN.

Statists gonna State

[mi]

Why does a merchandise printing company need social security numbers?

So that they can report the earnings of the sellers to the IRS.

The likes of Paypal and Venmo now need that too [slashdot.org] — and certain Slashdotters think it a good thing...

Indeed, the only reason we still don't have tracking chips built into the cash (paper banknotes) is the technology lagging behind the Statists' desires...

Taste of their Own Medicine

[Italiano42]

We should just post the responsible individualsâ(TM) private information, including bank accounts and social security numbers as a deterrent. After years of being defrauded, they might take security seriously moving forward.

Re:

[schwit1]

Also do members of Congress and their families. See how fast a law gets passed that makes it life without parole for CEOs if you fail to secure SSNs. See how fast business that don't need the number by law purge it from their systems.

Congress won't act until it's personal.

Ok great!

[Rosco P. Coltrane]

Now can we fine Google, Facebook, Amazon, Microsoft, CloudFlare, Akamai and all the others, not for "failing to secure consumers' sensitive personal data and covering up a major breach", but for actively conning people out of giving it away on a massive scale and being totally secretive and deceptive about it? The latter is much worse than the former, so why aren't they being punished too?

Re:

[Retired Chemist]

Now can we fine Google, Facebook, Amazon, Microsoft, CloudFlare, Akamai and all the others, not for "failing to secure consumers' sensitive personal data and covering up a major breach", but for actively conning people out of giving it away on a massive scale and being totally secretive and deceptive about it? The latter is much worse than the former, so why aren't they being punished too?

Better lawyers.

Re:

[Errol backfiring]

why aren't they being punished too?

He did not offer governments a share in the data.

Can we do Twitter next?

[beepsky]

Can we do Twitter next?
I'm 99% sure at some point, or even today, they have vulnerabilities where you can find the phone number of pseudo-anonymous users.
Jack needs to have his anus stretched 10 sizes in Alcatraz

CafePress aren't alone

[mi]

For over twenty years I've been "tagging" the e-mail addresses I give out to companies with the company-name. Then, when I start getting spam — and even scams — at the tagged address, I know exactly, which business sold me (or was broken into).

Among the "biggies" are Dropbox and Nutrisystem... Yeah...

They treat it as a cost of doing business

[TomTraynor]

Until they start imposing files AND jailing the BoD and senior executives then nothing will change. Start doing major fines and jail time may get their attention. Second time it happens then perma-ban them from acting as a member of ANY BoD director or as an officer of a corporation. Fines should also be calculated as triple the revenue stream for when the company was vulnerable and is applied individually to the corporation, each BoD member and the senior executives.

DBs still open

[slazzy]

I just checked at it looks like they still have DB backups wide open to the public web... really terrible security.

I get to live the fun

[jmccue]

The FTC also claims that the company "misled" users by using consumer email addresses for marketing, despite promises to the contrary.

I am sill seeing this, I ordered a Slackware sweatshirt and made the mistake of not using my throw-away email. Hoping this fine will end the practice.