FTC Takes Action Against CafePress for Data Breach Cover-Up and the Key Lessons for Businesses on Security and Accountability

The Federal Trade Commission (“FTC”) has finalized an enforcement action against CafePress, the popular e-commerce platform for customized merchandise, for failing to secure sensitive consumer data and attempting to cover up a significant data breach. This action, which includes a half-million-dollar penalty and a series of stringent requirements, serves as a powerful reminder to businesses about the importance of robust data security practices and transparency with consumers. The FTC’s case, originally filed in March 2022, centers around accusations that CafePress, under its former owner, Residual Pumpkin Entity, LLC, and its new owner, PlanetArt, LLC, neglected basic security protocols that left sensitive data exposed. Among the most concerning allegations, the company failed to properly secure Social Security numbers, passwords, and answers to password reset questions. In fact, these details were stored in clear, readable text—an easily exploitable vulnerability that could lead to identity theft or other forms of fraud. In addition to failing to secure this sensitive information, CafePress also retained it for far longer than necessary, exposing data to further risk. The FTC also found that the company did not apply commonly available protections against known cyber threats and failed to adequately respond to multiple breaches, including one in 2019. When hackers exploited the company's security flaws, CafePress did not promptly notify affected consumers and even attempted to downplay the breach, withholding crucial information about the extent of the breach for months. As a result, millions of consumers were left at risk. If you would like to read more about this case and others, visit our Case Studies Library.