Article 5XB23 CafePress's Previous Owner Fined $500,000 for 'Shoddy' Security, Covering up Data Breach

CafePress's Previous Owner Fined $500,000 for 'Shoddy' Security, Covering up Data Breach

by
EditorDavid
from Slashdot on (#5XB23)
ZDNet describes CafePress as "a U.S. platform offering print-on-demand products" like custom t-shirts, hats, and mugs. "CafePress's past owner has been fined $500,000 over a litany of security failures and data breaches," ZDNet reported this week:CafePress became the subject of a US Federal Trade Commission (FTC) investigation surrounding how it handled security - and how the firm allegedly "failed to secure consumers' sensitive personal data and covered up a major breach." On March 15, the US regulator said that Residual Pumpkin is required to pay $500,000 in damages. According to the FTC's complaint (PDF), issued against the platform's former owner Residual Pumpkin Entity, LLC, and its current owner PlanetArt, LLC, there was a lack of "reasonable security measures" to prevent data breaches. In addition, the FTC claims that CafePress kept user data for longer than necessary, stored personally identifiable information including Social Security numbers and password reset answers in cleartext, and did not patch against known system vulnerabilities. "As a result of its shoddy security practices, CafePress' network was breached multiple times," the FTC says. CafePress experienced a major security incident in 2019. An attacker infiltrated the platform in February 2019 and was able to access data belonging to millions of users. This included email addresses, poorly-encrypted passwords, names, home addresses, security questions and answers, some partial card payment records, phone numbers, and at least 180,000 unencrypted Social Security numbers.... According to the FTC, CafePress was notified a month after the breach and did patch the security flaw - but did not investigate the breach properly "for several months." Customers were also not told. Instead, CafePress implemented a forced password reset as part of its "policy" and only informed users in September 2019, once the data breach had been publicly reported. In a separate case in 2018, CafePress allegedly was made aware of shops being compromised. These accounts were closed - and the shopkeepers, the victims, were then charged $25 account closure fees. The FTC also claims that the company "misled" users by using consumer email addresses for marketing, despite promises to the contrary.

twitter_icon_large.pngfacebook_icon_large.png

Read more of this story at Slashdot.

External Content
Source RSS or Atom Feed
Feed Location https://rss.slashdot.org/Slashdot/slashdotMain
Feed Title Slashdot
Feed Link https://slashdot.org/
Feed Copyright Copyright Slashdot Media. All Rights Reserved.
Reply 0 comments