CafePress is a web service that lets artists, shops, businesses, fan clubs – anyone who signs up, in fact – turn designs, corporate slogans, logos and the like into fun merchandise they can give away or sell on to others.
The days when you had to put in an order for several hundred coffee mugs (or golf balls, or mousemats, or T-shirts, or hoodies) just to get one with the company name on them are long gone, with even one-off merch orders possible thanks to on-line ordering.
Unfortunately, as the US Federal Trade Commission explained last week in a case report bluntly entitled CafePress, In the Matter of, the company wasn’t up to scratch when it came to looking after the personal data of its customers and signed-up sellers.
According to the FTC, the CafePress service experienced a data breach, discovered and reported in early 2019, that was not acted on promptly or effectively, making the ultimate side-effects of the breach much worse than they ought to have been.
In other words, even though the company was itself the victim of a cybercrime, it has nevertheless been censured and fined for what it did (and didn’t do), both before and after this cybercrime took place.
The breach, says the FTC, saw hackers make off with more than 20,000,000 plaintext email addresses and weakly-hashed passwords; millions of unencrypted names, physical addresses, and security questions-and-answers; more than 180,000 unencrypted SSNs (social security numbers); and, for tens of thousands of payment cards, the last four digits of the card plus the expiry date.
The sloppiness of the company’s followup to this sloppiness led to a plain-talking headline on the government’s own press release: FTC Takes Action Against CafePress for Data Breach Cover Up.
Consent order issued
As part of the FTC’s settlement, known in US parlance as a consent order, the owner of Cafe Press at the time – a company with the quizzical name of Residual Pumpkin – will pay a penalty of $500,000.
Both Residual Pumpkin and the website’s new holding company, Planet Art, will be subject to numerous other conditions, including submitting to security assessments every two years for the next 20 years.
Importantly for any businesses out there that still pay little more than lip service to cybersecurity, the FTC wasn’t unsympathetic to CafePress-the-cybercrime-victim.
But the FTC was deeply critical of CafePress-as-a-21st-century-holder-and processor-of-personal-information.
In particular, the FTC censured CafePress for the following:
- Misrepresenting the measures it took to protect personal Information.
- Misrepresenting the steps it took to secure consumer accounts following security incidents.
- Failing to employ reasonable data security practices.
- Misrepresenting how it would use email addresses.
- Misrepresenting the company’s adherence to privacy regulations in the US and the EU.
- Misrepresenting its intention to honour data deletion requests by customers and sellers.
Cybersecurity no-nos
The FTC picked up explicitly on cybersecurity and data protection no-nos such as:..
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
