Security News > 2022 > June > CafePress fined $500,000 for breach affecting 23 million users
The U.S. Federal Trade Commission has ordered Residual Pumpkin Entity, the former owner of the CafePress t-shirt and merchandise site, to pay a $500,000 fine for covering up a data breach impacting more than 23 million customers and failing to protect their data.
After its servers were breached multiple times, it tried to cover up the major data breach resulting from its sloppy security practices.
According to the finalized order, on top of paying a $500,000 fine, Residual Pumpkin and PlanetArt have to implement multi-factor authentication, minimize the amount of collected and retained data, and encrypt all stored Social Security numbers.
CafePress allegedly tried to cover up this massive data breach and didn't notify any affected individuals until September 2019, one month after BleepingComputer reported the breach.
CafePress knew that it had data security problems even before the 2019 breach since, according to FTC's complaint, the company found out that some of its shopkeepers' accounts had been compromised since at least January 2018.
Several malware infections also impacted the company's network before the 2019 security breach, and CafePress, once again, failed to investigate the attacks.