FTC Cracks Down on CafePress for Data Breach Cover-Up

In a recent and significant enforcement action, the Federal Trade Commission (“FTC”) has taken steps to hold e-commerce platform CafePress accountable for its mishandling of sensitive consumer data. The company has been accused of failing to secure personal data, resulting in a major data breach that exposed millions of individuals to potential fraud and identity theft. Moreover, the FTC alleges that CafePress attempted to conceal the breach from consumers, exacerbating the impact of the security failure. The FTC's case centers around the company’s negligence in securing sensitive information, including Social Security numbers, password reset answers, and encrypted passwords. According to the complaint, the company stored this sensitive data in plain text, making it vulnerable to exploitation. Furthermore, CafePress did not use adequate encryption and failed to implement basic security measures, such as multi-factor authentication, to protect users from unauthorized access. The breach itself, which occurred in February 2019, allowed hackers to access millions of email addresses, passwords, physical addresses, and even partial payment card information. Among the most concerning breaches was the exposure of over 180,000 unencrypted Social Security numbers, some of which were later found for sale on the dark web. Despite receiving multiple warnings, including a government alert and direct notice of the breach, CafePress took months to inform consumers, not notifying them until September 2019, over six months after the breach occurred.