www.ftc.gov
Open in
urlscan Pro
2a02:26f0:6c00:2bb::2031
Public Scan
URL:
https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover
Submission: On July 11 via api from US — Scanned from DE
Submission: On July 11 via api from US — Scanned from DE
Form analysis
4 forms found in the DOMGET /legal-library/search
<form action="/legal-library/search" class="usa-search usa-search--small " method="get" role="search"><label class="usa-sr-only" for="search-field-megamenu-1">Search small</label> <input class="usa-input" id="search-field-megamenu-1" name="search"
placeholder="Search Legal Library" type="search"><input type="hidden" name="sort_by" value="search_api_relevance"><button class="usa-button" type="submit"><span class="usa-sr-only">Search</span></button></form>
GET /legal-library/search
<form action="/legal-library/search" class="usa-search usa-search--small " method="get" role="search"><label class="usa-sr-only" for="search-field-megamenu-1">Search small</label> <input class="usa-input" id="search-field-megamenu-1" name="search"
placeholder="Search Legal Library" type="search"><input type="hidden" name="sort_by" value="search_api_relevance"><button class="usa-button" type="submit"><span class="usa-sr-only">Search</span></button></form>
GET https://search.usa.gov/search
<form accept-charset="UTF-8" action="https://search.usa.gov/search" id="search_form" method="get" class="usa-search usa-search--small">
<div style="margin:0;padding:0;display:inline">
<input name="utf8" type="hidden" value="✓">
</div>
<input id="affiliate" name="affiliate" type="hidden" value="ftc_prod"><label class="usa-sr-only" for="query">Enter Search Term(s):</label>
<input autocomplete="off" class="usagov-search-autocomplete ui-autocomplete-input" id="query" placeholder="Search FTC.gov" name="query" type="text"><input class="usa-button usa-button--search" name="commit" type="submit" value="Search">
</form>
GET https://search.usa.gov/search
<form accept-charset="UTF-8" action="https://search.usa.gov/search" class="usa-search usa-search--small" id="search_form_mobile" method="get">
<div style="margin:0;padding:0;display:inline"><input name="utf8" type="hidden" value="✓"></div>
<input id="affiliate_mobile" name="affiliate" type="hidden" value="ftc_prod"><label class="usa-sr-only" for="queryText">Enter Search Term(s):</label> <input autocomplete="off" class="usagov-search-autocomplete ui-autocomplete-input" id="queryText"
name="query" placeholder="Search FTC.gov" type="text"><input class="usa-button usa-button--search" name="commit" type="submit" value="Search">
</form>
Text Content
Skip to main content An official website of the United States government Here’s how you know Here's how you know The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site. The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely. TRANSLATION MENU * Español SECONDARY MENU * Report Fraud * Sign Up for Consumer Alerts * Search the Legal Library Menu MAIN MENU MEGA * Show/hide Enforcement menu items ENFORCEMENT We enforce federal competition and consumer protection laws that prevent anticompetitive, deceptive, and unfair business practices. View Enforcement SEARCH OR BROWSE THE LEGAL LIBRARY Find legal resources and guidance to understand your business responsibilities and comply with the law. Browse legal resources Search small Search SECTIONS * Cases and Proceedings * Premerger Notification Program * Merger Review * Anticompetitive Practices * Rulemaking * Statutes * Competition and Consumer Protection Guidance Documents * Warning Letters * Consumer Sentinel Network * Criminal Liaison Unit * Recent FTC Cases Resulting in Refunds * Notices of Penalty Offenses * Competition Matters Blog TAKE ACTION * Report an antitrust violation * File adjudicative documents * Find banned debt collectors * View competition guidance COMPETITION MATTERS BLOG Competition Matters HSR THRESHOLD ADJUSTMENTS AND REPORTABILITY FOR 2022 the Premerger Notification Office Staff February 11, 2022 View all Competition Matters Blog posts * Show/hide Policy menu items POLICY We work to advance government policies that protect consumers and promote competition. View Policy SEARCH OR BROWSE THE LEGAL LIBRARY Find legal resources and guidance to understand your business responsibilities and comply with the law. Browse legal resources Search small Search SECTIONS * Advocacy and Research * Advisory Opinions * Cooperation Agreements * Federal Register Notices * Reports * Public Comments * Studies * Testimony * Policy Statements * International TAKE ACTION * Find policy statements * Submit a public comment FEATURE VISION AND PRIORITIES Memo from Chair Lina M. Khan to commission staff and commissioners regarding the vision and priorities for the FTC. Learn more TECH@FTC BLOG Tech@FTC ON FTC’S TWITTER CASE: ENHANCING SECURITY WITHOUT COMPROMISING PRIVACY DPIP and CTO Staff May 25, 2022 View all Tech@FTC Blog posts * Show/hide Advice and Guidance menu items ADVICE AND GUIDANCE Learn more about your rights as a consumer and how to spot and avoid scams. Find the resources you need to understand how consumer protection law impacts your business. TAKE ACTION * Report fraud * Report identity theft * Register for Do Not Call * Sign up for consumer alerts * Get Business Blog updates * Get your free credit report * Find refund cases * Order bulk publications CONSUMER ADVICE * Shopping and Donating * Credit, Loans, and Debt * Jobs and Making Money * Unwanted Calls, Emails, and Texts * Identity Theft and Online Security * Scams BUSINESS GUIDANCE * Advertising and Marketing * Credit and Finance * Privacy and Security * By Industry * For Small Businesses * Browse Business Guidance Resources * Business Blog SERVICEMEMBERS: YOUR TOOL FOR FINANCIAL READINESS Visit militaryconsumer.gov GET CONSUMER PROTECTION BASICS, PLAIN AND SIMPLE Visit consumer.gov LEARN HOW THE FTC PROTECTS FREE ENTERPRISE AND CONSUMERS Visit Competition Counts LOOKING FOR COMPETITION GUIDANCE? Competition Guidance * Show/hide News and Events menu items NEWS AND EVENTS LATEST NEWS Press Release FTC TAKES ACTION AGAINST WEBER FOR ILLEGALLY RESTRICTING CUSTOMERS’ RIGHT TO REPAIR July 7, 2022 View News and Events UPCOMING EVENT Jul18 CROSSING THE CONSUMER WELFARE RUBICON: A CONVERSATION WITH COMMISSIONER PHILLIPS OF THE FEDERAL TRADE COMMISSION Monday, July 18, 2022 | 1:30PM - 2:30PM View more Events SECTIONS * News * Events * Features * Topics * Data and Visualizations * Stay Connected Sign up for the latest news FOLLOW US ON SOCIAL MEDIA FEATURE CORONAVIRUS SCAMS Spot the latest COVID scams, get compliance guidance, and stay up to date on FTC actions during the pandemic. LATEST DATA VISUALIZATION DAILY COVID-19 COMPLAINT DATA(LINK IS EXTERNAL) Use our visualizations to explore scam and fraud trends in your state based on reports from consumers like you. * Show/hide About the FTC menu items ABOUT THE FTC Our mission is protecting consumers and competition by preventing anticompetitive, deceptive, and unfair business practices through law enforcement, advocacy, and education without unduly burdening legitimate business activity. Learn more about the FTC SECTIONS * Mission * History * Commissioners and Staff * Bureaus and Offices * Budget and Strategy * Office of Inspector General * Careers at the FTC * Contact FEATURED MEET THE CHAIR Lina Khan was sworn in as Chair of the Federal Trade Commission on June 15, 2021. Chair Lina Khan * Search Show/hide Search menu items Enter Search Term(s): Looking for legal documents or records? Search the Legal Library instead. TRANSLATION MENU * Español SECONDARY MENU * Report Fraud * Sign Up for Consumer Alerts * Search the Legal Library * Enforcement Show/hide Enforcement menu items * Cases and Proceedings * Premerger Notification Program * Merger Review * Anticompetitive Practices * Rulemaking * Statutes * Competition and Consumer Protection Guidance Documents * Warning Letters * Consumer Sentinel Network * Criminal Liaison Unit * Recent FTC Cases Resulting in Refunds * Notices of Penalty Offenses * Competition Matters Blog * Policy Show/hide Policy menu items * Advocacy and Research * Advisory Opinions * Cooperation Agreements * Federal Register Notices * Reports * Public Comments * Studies * Testimony * Policy Statements * International * Advice and Guidance Show/hide Advice and Guidance menu items * Consumer Advice * Military Consumer * Consumer.gov * Business Guidance * Competition Guidance * Bulk Publications * News and Events Show/hide News and Events menu items * News * Events * Features * Topics * Data and Visualizations * Stay Connected * About the FTC Show/hide About the FTC menu items * Mission * History * Commissioners and Staff * Bureaus and Offices * Budget and Strategy * Office of Inspector General * Careers at the FTC * Contact Enter Search Term(s): Looking for legal documents or records? Search the Legal Library instead. BREADCRUMB 1. Home 2. News and Events 3. News 4. Press Releases For Release FTC TAKES ACTION AGAINST CAFEPRESS FOR DATA BREACH COVER UP Commission orders e-commerce platform to bolster data security and provide redress to small businesses March 15, 2022 AddThis Sharing Buttons Share to FacebookFacebookShare to TwitterTwitterShare to LinkedInLinkedIn Tags: * Consumer Protection * Southwest Region * Bureau of Consumer Protection * Privacy and Security * Consumer Privacy * Data Security * Privacy Shield The Federal Trade Commission today took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach. The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions. The Commission’s proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses. “CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.” In a complaint filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged that CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network. In addition to storing Social Security numbers and password reset answers in clear, readable text, CafePress retained the data longer than was necessary. The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents, the complaint alleged. As a result of its shoddy security practices, CafePress’ network was breached multiple times. According to the complaint, a hacker exploited the company’s security failures in February 2019 to access millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates. Some of the information was later found for sale on the Dark Web. After being notified a month later that it had a security vulnerability and that hackers had obtained consumer data, CafePress patched the vulnerability but failed to properly investigate the breach for several months despite additional warnings, the complaint alleged. This included a warning in April 2019 from a foreign government, which notified the company that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers. The company, however, withheld this essential information, and instead only told customers to reset their passwords as part of an update to its password policy. The complaint alleges CafePress did not inform affected customers until September 2019—one month after the breach was reported widely. The company’s lax security practices, however, still left many consumers at risk. For example, the company continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses—the same information that had been previously stolen by hackers. According to the complaint, CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress determined that certain accounts of shopkeepers had been hacked, CafePress closed the accounts and charged the victims a $25 account closure fee. The company also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks. In addition to its security failures, the FTC alleged the company misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed. As part of the proposed settlement, Residual Pumpkin and PlanetArt will be required to implement comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This includes replacing inadequate authentication measures such as security questions with multi-factor authentication methods; minimizing the amount of data they collect and retain; and encrypting Social Security numbers. In addition, the proposed settlement requires Residual Pumpkin to pay $500,000 in redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves. Both companies will be required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure. The Commission voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with the companies. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov. NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517. The Federal Trade Commission works to promote competition and protect and educate consumers. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts. CONTACT INFORMATION MEDIA CONTACT Juliana Gruenwald-Henderson Office of Public Affairs 202-326-2924 STAFF CONTACTS M. Hasan Aijaz FTC Southwest Region 214-979-9386 Matthew J. Wilshire FTC Southwest Region 214-979-9362 RELATED CASES CafePress, In the Matter of FOR BUSINESSES Data Security Data Breach Response: A Guide for Business Blog: Data breach prevention and response: Lessons from the CafePress case TOPICS Privacy and Security Enforcement Data Security Return to top Menu SECONDARY MENU * Report Fraud * Sign Up for Consumer Alerts * Search the Legal Library MAIN NAVIGATION * Enforcement * Cases and Proceedings * Premerger Notification Program * Merger Review * Anticompetitive Practices * Rulemaking * Statutes * Competition and Consumer Protection Guidance Documents * Warning Letters * Consumer Sentinel Network * Criminal Liaison Unit * Recent FTC Cases Resulting in Refunds * Notices of Penalty Offenses * Competition Matters Blog * Policy * Advocacy and Research * Advisory Opinions * Cooperation Agreements * Federal Register Notices * Reports * Public Comments * Studies * Testimony * Policy Statements * International * Advice and Guidance * Consumer Advice * Military Consumer * Consumer.gov * Business Guidance * Competition Guidance * Bulk Publications * News and Events * News * Events * Features * Topics * Data and Visualizations * Stay Connected * About the FTC * Mission * History * Commissioners and Staff * Bureaus and Offices * Budget and Strategy * Office of Inspector General * Careers at the FTC * Contact FOOTER * Privacy Policy * Policy and Notices * FOIA * No FEAR Act * Office of Inspector General * USA.gov (link is external) (link is external) (link is external) (link is external) Play Icon Feedback