Security News > 2022 > March > CafePress fined for covering up 2019 customer info leak
The FTC wants the former owner of CafePress to cough up $500,000 after the customizable merch bazaar not only tried to cover up a major computer security breach involving millions of netizens, it failed to safeguard customers' personal information.
In a complaint [PDF] filed against CafePress former owner Residual Pumpkin Entity and PlanetArt, which bought the platform in 2020, the FTC alleges multiple instances of shoddy security practices at the online biz.
Posts about stolen customer data and rumors of a privacy breach began appearing on Twitter, Reddit, and Facebook as customers received notifications from monitoring services that their details were unexpectedly in circulation.
According to the FTC, CafePress received multiple warnings, including one from a foreign government, that its customer data has been lifted, yet kept quiet.
Residual Pumpkin continued to allow password resets from the CafePress website by answering security questions associated with the customer's email address - in other words, allowing miscreants to change people's passwords using information stolen in the breach.
In proposed settlements with Residual Pumpkin [PDF] and PlanetArt [PDF], the FTC tasked both companies with setting up a "Comprehensive information security program" that protects customers' privacy and personal information.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/03/16/ftc_cafepress_settlement/