"FTC Takes Action Against CafePress Over Massive Data Breach, Cover-Up"

The Federal Trade Commission (FTC) recently announced that it has finalized an order against CafePress, requiring it to improve its security posture following a cybersecurity incident that the company attempted to cover up.  CafePress is an online retailer of products such as T-shirts, bags, calendars, and mugs, which users can customize with their own graphics designs or texts.  It also allows users to have virtual shops on the platform.  The data breach occurred in 2019 and impacted 23 million accounts.  Despite repeated attempts to get the company to take proper action, CafePress failed to secure its systems and decided not to inform impacted customers about this and other cybersecurity incidents.  A complaint was filed against former CafePress owner Residual Pumpkin Entity, LLC, and against the current owner, PlanetArt, LLC.  The complaint claims that CafePress retained user data longer than needed, stored Social Security numbers in plaintext, failed to secure its systems against known threats, and covered up the 2019 data breach.  The FTC is now requiring Residual Pumpkin and PlanetArt to improve their security practices through the adoption of multi-factor authentication, to minimize the amount of collected data, and to store Social Security numbers encrypted.  The two companies will now need to implement a comprehensive information security program within 60 days.  Additionally, both companies are now required to have their information security programs assessed by a third party and to provide the FTC with a copy of the assessment that can be publicly shared.   FTC also ordered Residual Pumpkin to pay $500,000 that will be sent as relief to the victims of the data breach and asked PlanetArt to notify consumers whose personal information was compromised.  The two companies are now required to provide the FTC with an annual certification from a senior corporate manager, detailing both their compliance with the order and a description of any cyber incident that might have occurred during the certified period.

SecurityWeek reports: "FTC Takes Action Against CafePress Over Massive Data Breach, Cover-Up"