The U.S. Federal Trade Commission (FTC) has slapped eCommerce giant CafePress with a $500,000 fine for mishandling their 2019 data breach. FTC also urged the firm’s new owners to implement strict security measures to prevent such incidents in the future.
CafePress Fined $500K For 2019 Data Breach
Almost two years after the devastating security breach, CafePress faces the music for adamantly hiding it.
In August 2019, news surfaced online, hinting at a possible security breach affecting CafePress. At that time, the company did not officially confirm anything in this regard. Instead, it simply sent generic alerts to the users, asking them to reset their passwords.
Nonetheless, a data dump update from HaveIBeenPwned’s Troy Hunt disclosed that the site had suffered a data breach affecting over 23 million customers. The incident exposed the victims’ personal details and hashed passwords.
This incident eventually attracted FTC’s attention. And now, the Commission has slapped CafePress with a hefty $500,000 fine for the data breach. According to the case summary,
The FTC alleged that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions.
Besides the fine, FTC also urged the Residual Pumpkin Entity, LLC, CafePress owner firm, to “bolster its security.”
The Commission’s proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.
In the detailed decision, the Commission listed the various steps the firm should take. Some of these include,
- Designating responsible personnel for coordinating the Information Security Program following proper documentation.
- Designing and implementing security controls to prevent potential risks, including regular code reviewing for web apps, identifying unauthorized access attempts, and ensuring secure data storage with appropriate data access controls.
- Replacing the existing authentication measures with secure methodologies, like multi-factor authentication.
- Training employees about Personal Information security.
In addition, the Commission also ordered the firm to issue prompt notifications to the affected clients and/or customers in the event of a security breach.