www.ftc.gov Open in urlscan Pro
2a02:26f0:6c00:2bb::2031  Public Scan

URL: https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover
Submission: On July 11 via api from US — Scanned from DE

Form analysis 4 forms found in the DOM

GET /legal-library/search

<form action="/legal-library/search" class="usa-search usa-search--small " method="get" role="search"><label class="usa-sr-only" for="search-field-megamenu-1">Search small</label> <input class="usa-input" id="search-field-megamenu-1" name="search"
    placeholder="Search Legal Library" type="search"><input type="hidden" name="sort_by" value="search_api_relevance"><button class="usa-button" type="submit"><span class="usa-sr-only">Search</span></button></form>

GET /legal-library/search

<form action="/legal-library/search" class="usa-search usa-search--small " method="get" role="search"><label class="usa-sr-only" for="search-field-megamenu-1">Search small</label> <input class="usa-input" id="search-field-megamenu-1" name="search"
    placeholder="Search Legal Library" type="search"><input type="hidden" name="sort_by" value="search_api_relevance"><button class="usa-button" type="submit"><span class="usa-sr-only">Search</span></button></form>

GET https://search.usa.gov/search

<form accept-charset="UTF-8" action="https://search.usa.gov/search" id="search_form" method="get" class="usa-search usa-search--small">
  <div style="margin:0;padding:0;display:inline">
    <input name="utf8" type="hidden" value="✓">
  </div>
  <input id="affiliate" name="affiliate" type="hidden" value="ftc_prod"><label class="usa-sr-only" for="query">Enter Search Term(s):</label>
  <input autocomplete="off" class="usagov-search-autocomplete ui-autocomplete-input" id="query" placeholder="Search FTC.gov" name="query" type="text"><input class="usa-button usa-button--search" name="commit" type="submit" value="Search">
</form>

GET https://search.usa.gov/search

<form accept-charset="UTF-8" action="https://search.usa.gov/search" class="usa-search usa-search--small" id="search_form_mobile" method="get">
  <div style="margin:0;padding:0;display:inline"><input name="utf8" type="hidden" value="✓"></div>
  <input id="affiliate_mobile" name="affiliate" type="hidden" value="ftc_prod"><label class="usa-sr-only" for="queryText">Enter Search Term(s):</label> <input autocomplete="off" class="usagov-search-autocomplete ui-autocomplete-input" id="queryText"
    name="query" placeholder="Search FTC.gov" type="text"><input class="usa-button usa-button--search" name="commit" type="submit" value="Search">&nbsp;
</form>

Text Content

Skip to main content

An official website of the United States government

Here’s how you know

Here's how you know

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive
information, make sure you’re on a federal government site.

The site is secure.
The https:// ensures that you are connecting to the official website and that
any information you provide is encrypted and transmitted securely.


TRANSLATION MENU

 * Español


SECONDARY MENU

 * Report Fraud
 * Sign Up for Consumer Alerts
 * Search the Legal Library


Menu


MAIN MENU MEGA

 * Show/hide Enforcement menu items
   
   
   ENFORCEMENT
   
   We enforce federal competition and consumer protection laws that prevent
   anticompetitive, deceptive, and unfair business practices.
   
   View Enforcement
   
   
   SEARCH OR BROWSE
   THE LEGAL LIBRARY
   
   Find legal resources and guidance to understand your business
   responsibilities and comply with the law.
   
   Browse legal resources
   
   Search small Search
   
   
   SECTIONS
   
    * Cases and Proceedings
    * Premerger Notification Program
    * Merger Review
    * Anticompetitive Practices
    * Rulemaking
    * Statutes
    * Competition and Consumer Protection Guidance Documents
    * Warning Letters
    * Consumer Sentinel Network
    * Criminal Liaison Unit
    * Recent FTC Cases Resulting in Refunds
    * Notices of Penalty Offenses
    * Competition Matters Blog
   
   
   TAKE ACTION
   
    * Report an antitrust violation
    * File adjudicative documents
    * Find banned debt collectors
    * View competition guidance
   
   
   COMPETITION MATTERS BLOG
   
   Competition Matters
   
   
   HSR THRESHOLD ADJUSTMENTS AND REPORTABILITY FOR 2022
   
   the Premerger Notification Office Staff
   February 11, 2022
   
   View all Competition Matters Blog posts

 * Show/hide Policy menu items
   
   
   POLICY
   
   We work to advance government policies that protect consumers and promote
   competition.
   
   View Policy
   
   
   SEARCH OR BROWSE
   THE LEGAL LIBRARY
   
   Find legal resources and guidance to understand your business
   responsibilities and comply with the law.
   
   Browse legal resources
   
   Search small Search
   
   
   SECTIONS
   
    * Advocacy and Research
    * Advisory Opinions
    * Cooperation Agreements
    * Federal Register Notices
    * Reports
    * Public Comments
    * Studies
    * Testimony
    * Policy Statements
    * International
   
   
   TAKE ACTION
   
    * Find policy statements
    * Submit a public comment
   
   
   FEATURE
   
   
   VISION AND PRIORITIES
   
   Memo from Chair Lina M. Khan to commission staff and commissioners regarding
   the vision and priorities for the FTC.
   
   Learn more
   
   
   TECH@FTC BLOG
   
   Tech@FTC
   
   
   ON FTC’S TWITTER CASE: ENHANCING SECURITY WITHOUT COMPROMISING PRIVACY
   
   DPIP and CTO Staff
   May 25, 2022
   
   View all Tech@FTC Blog posts

 * Show/hide Advice and Guidance menu items
   
   
   ADVICE AND GUIDANCE
   
   Learn more about your rights as a consumer and how to spot and avoid scams.
   Find the resources you need to understand how consumer protection law impacts
   your business.
   
   
   TAKE ACTION
   
    * Report fraud
    * Report identity theft
    * Register for Do Not Call
    * Sign up for consumer alerts
    * Get Business Blog updates
    * Get your free credit report
    * Find refund cases
    * Order bulk publications
   
   
   CONSUMER ADVICE
   
    * Shopping and Donating
    * Credit, Loans, and Debt
    * Jobs and Making Money
    * Unwanted Calls, Emails, and Texts
    * Identity Theft and Online Security
    * Scams
   
   
   BUSINESS GUIDANCE
   
    * Advertising and Marketing
    * Credit and Finance
    * Privacy and Security
    * By Industry
    * For Small Businesses
    * Browse Business Guidance Resources
    * Business Blog
   
   
   SERVICEMEMBERS:
   YOUR TOOL FOR FINANCIAL READINESS
   
   Visit militaryconsumer.gov
   
   
   GET CONSUMER PROTECTION BASICS, PLAIN AND SIMPLE
   
   Visit consumer.gov
   
   
   LEARN HOW THE FTC PROTECTS FREE ENTERPRISE AND CONSUMERS
   
   Visit Competition Counts
   
   
   LOOKING FOR COMPETITION GUIDANCE?
   
   Competition Guidance

 * Show/hide News and Events menu items
   
   
   NEWS AND EVENTS
   
   
   LATEST NEWS
   
   Press Release
   
   
   FTC TAKES ACTION AGAINST WEBER FOR ILLEGALLY RESTRICTING CUSTOMERS’ RIGHT TO
   REPAIR
   
   July 7, 2022
   
   View News and Events
   
   
   UPCOMING EVENT
   
   Jul18
   
   
   CROSSING THE CONSUMER WELFARE RUBICON: A CONVERSATION WITH COMMISSIONER
   PHILLIPS OF THE FEDERAL TRADE COMMISSION
   
   Monday, July 18, 2022 | 1:30PM - 2:30PM
   
   View more Events
   
   
   SECTIONS
   
    * News
    * Events
    * Features
    * Topics
    * Data and Visualizations
    * Stay Connected
   
   Sign up for the latest news
   
   
   FOLLOW US ON SOCIAL MEDIA
   
            
   
   
   FEATURE
   
   
   CORONAVIRUS SCAMS
   
   Spot the latest COVID scams, get compliance guidance, and stay up to date on
   FTC actions during the pandemic.
   
   
   LATEST DATA VISUALIZATION
   
   
   DAILY COVID-19 COMPLAINT DATA(LINK IS EXTERNAL)
   
   Use our visualizations to explore scam and fraud trends in your state based
   on reports from consumers like you. 

 * Show/hide About the FTC menu items
   
   
   ABOUT THE FTC
   
   Our mission is protecting consumers and competition by preventing
   anticompetitive, deceptive, and unfair business practices through law
   enforcement, advocacy, and education without unduly burdening legitimate
   business activity.
   
   Learn more about the FTC
   
   
   SECTIONS
   
    * Mission
    * History
    * Commissioners and Staff
    * Bureaus and Offices
    * Budget and Strategy
    * Office of Inspector General
    * Careers at the FTC
    * Contact
   
   
   FEATURED
   
   
   MEET THE CHAIR
   
   Lina Khan was sworn in as Chair of the Federal Trade Commission on June 15,
   2021.
   
   Chair Lina Khan

 * Search Show/hide Search menu items
   
   Enter Search Term(s):
   
   Looking for legal documents or records? Search the Legal Library instead.


TRANSLATION MENU

 * Español


SECONDARY MENU

 * Report Fraud
 * Sign Up for Consumer Alerts
 * Search the Legal Library

 * Enforcement Show/hide Enforcement menu items
   * Cases and Proceedings
   * Premerger Notification Program
   * Merger Review
   * Anticompetitive Practices
   * Rulemaking
   * Statutes
   * Competition and Consumer Protection Guidance Documents
   * Warning Letters
   * Consumer Sentinel Network
   * Criminal Liaison Unit
   * Recent FTC Cases Resulting in Refunds
   * Notices of Penalty Offenses
   * Competition Matters Blog
 * Policy Show/hide Policy menu items
   * Advocacy and Research
   * Advisory Opinions
   * Cooperation Agreements
   * Federal Register Notices
   * Reports
   * Public Comments
   * Studies
   * Testimony
   * Policy Statements
   * International
 * Advice and Guidance Show/hide Advice and Guidance menu items
   * Consumer Advice
   * Military Consumer
   * Consumer.gov
   * Business Guidance
   * Competition Guidance
   * Bulk Publications
 * News and Events Show/hide News and Events menu items
   * News
   * Events
   * Features
   * Topics
   * Data and Visualizations
   * Stay Connected
 * About the FTC Show/hide About the FTC menu items
   * Mission
   * History
   * Commissioners and Staff
   * Bureaus and Offices
   * Budget and Strategy
   * Office of Inspector General
   * Careers at the FTC
   * Contact


Enter Search Term(s):  

Looking for legal documents or records? Search the Legal Library instead.


BREADCRUMB

 1. Home
 2. News and Events
 3. News
 4. Press Releases

For Release


FTC TAKES ACTION AGAINST CAFEPRESS FOR DATA BREACH COVER UP

Commission orders e-commerce platform to bolster data security and provide
redress to small businesses
March 15, 2022
AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to LinkedInLinkedIn

Tags:

 * Consumer Protection
 * Southwest Region
 * Bureau of Consumer Protection
 * Privacy and Security
 * Consumer Privacy
 * Data Security
 * Privacy Shield

The Federal Trade Commission today took action against online customized
merchandise platform CafePress over allegations that it failed to secure
consumers’ sensitive personal data and covered up a major breach. The FTC
alleges that CafePress failed to implement reasonable security measures to
protect sensitive information stored on its network, including plain text Social
Security numbers, inadequately encrypted passwords, and answers to password
reset questions. The Commission’s proposed order requires the company to bolster
its data security and requires its former owner to pay a half million dollars to
compensate small businesses.

“CafePress employed careless security practices and concealed multiple breaches
from consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer
Protection. “These orders dial up accountability for lax security practices,
requiring redress for small businesses that were harmed, and specific controls,
like multi-factor authentication, to better safeguard personal information.”

In a complaint filed against Residual Pumpkin Entity, LLC, the former owner of
CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged
that CafePress failed to implement reasonable security measures to protect the
sensitive information of buyers and sellers stored on its network. In addition
to storing Social Security numbers and password reset answers in clear, readable
text, CafePress retained the data longer than was necessary. The company also
failed to apply readily available protections against well-known threats and
adequately respond to security incidents, the complaint alleged. As a result of
its shoddy security practices, CafePress’ network was breached multiple times.

According to the complaint, a hacker exploited the company’s security failures
in February 2019 to access millions of email addresses and passwords with weak
encryption; millions of unencrypted names, physical addresses, and security
questions and answers; more than 180,000 unencrypted Social Security numbers;
and tens of thousands of partial payment card numbers and expiration dates. Some
of the information was later found for sale on the Dark Web.

After being notified a month later that it had a security vulnerability and that
hackers had obtained consumer data, CafePress patched the vulnerability but
failed to properly investigate the breach for several months despite additional
warnings, the complaint alleged. This included a warning in April 2019 from a
foreign government, which notified the company that a hacker had illegally
obtained CafePress customer account information and urged the company to notify
affected customers. The company, however, withheld this essential information,
and instead only told customers to reset their passwords as part of an update to
its password policy.

The complaint alleges CafePress did not inform affected customers until
September 2019—one month after the breach was reported widely. The company’s lax
security practices, however, still left many consumers at risk. For example, the
company continued to allow people to reset their passwords on the website by
answering security questions associated with customer email addresses—the same
information that had been previously stolen by hackers.

According to the complaint, CafePress was aware of problems with its data
security prior to the 2019 data breach. Through at least January 2018, when
CafePress determined that certain accounts of shopkeepers had been hacked,
CafePress closed the accounts and charged the victims a $25 account closure fee.
The company also experienced several malware infections to its network prior to
the 2019 hack but failed to investigate the source of such attacks.

In addition to its security failures, the FTC alleged the company misled users
by using consumer email addresses for marketing despite its promises that such
information would only be used to fulfill orders consumers had placed.

As part of the proposed settlement, Residual Pumpkin and PlanetArt will be
required to implement comprehensive information security programs that will
address the problems that led to the data breaches at CafePress. This includes
replacing inadequate authentication measures such as security questions with
multi-factor authentication methods; minimizing the amount of data they collect
and retain; and encrypting Social Security numbers.

In addition, the proposed settlement requires Residual Pumpkin to pay $500,000
in redress to victims of the data breaches. PlanetArt will be required to notify
consumers whose personal information was accessed as a result of CafePress’s
data breaches and provide specific information about how consumers can protect
themselves. Both companies will be required to have a third party assess their
information security programs and provide the Commission with a redacted copy of
that assessment suitable for public disclosure.

The Commission voted 4-0 to issue the proposed administrative complaint and to
accept the consent agreement with the companies.

The FTC will publish a description of the consent agreement package in the
Federal Register soon. The agreement will be subject to public comment for
30 days after publication in the Federal Register after which the Commission
will decide whether to make the proposed consent order final. Instructions for
filing comments will appear in the published notice. Once processed, comments
will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to
believe” that the law has been or is being violated, and it appears to the
Commission that a proceeding is in the public interest. When the Commission
issues a consent order on a final basis, it carries the force of law with
respect to future actions. Each violation of such an order may result in a civil
penalty of up to $46,517.

The Federal Trade Commission works to promote competition and protect and
educate consumers. Learn more about consumer topics at consumer.ftc.gov, or
report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow
the FTC on social media, read consumer alerts and the business blog, and sign up
to get the latest FTC news and alerts.


CONTACT INFORMATION


MEDIA CONTACT

Juliana Gruenwald-Henderson 

Office of Public Affairs

202-326-2924


STAFF CONTACTS

M. Hasan Aijaz

FTC Southwest Region

214-979-9386

Matthew J. Wilshire

FTC Southwest Region

214-979-9362


RELATED CASES

CafePress, In the Matter of


FOR BUSINESSES

Data Security

Data Breach Response: A Guide for Business

Blog: Data breach prevention and response: Lessons from the CafePress case




TOPICS

Privacy and Security Enforcement
Data Security
Return to top

Menu


SECONDARY MENU

 * Report Fraud
 * Sign Up for Consumer Alerts
 * Search the Legal Library


MAIN NAVIGATION

 * Enforcement
   * Cases and Proceedings
   * Premerger Notification Program
   * Merger Review
   * Anticompetitive Practices
   * Rulemaking
   * Statutes
   * Competition and Consumer Protection Guidance Documents
   * Warning Letters
   * Consumer Sentinel Network
   * Criminal Liaison Unit
   * Recent FTC Cases Resulting in Refunds
   * Notices of Penalty Offenses
   * Competition Matters Blog
 * Policy
   * Advocacy and Research
   * Advisory Opinions
   * Cooperation Agreements
   * Federal Register Notices
   * Reports
   * Public Comments
   * Studies
   * Testimony
   * Policy Statements
   * International
 * Advice and Guidance
   * Consumer Advice
   * Military Consumer
   * Consumer.gov
   * Business Guidance
   * Competition Guidance
   * Bulk Publications
 * News and Events
   * News
   * Events
   * Features
   * Topics
   * Data and Visualizations
   * Stay Connected
 * About the FTC
   * Mission
   * History
   * Commissioners and Staff
   * Bureaus and Offices
   * Budget and Strategy
   * Office of Inspector General
   * Careers at the FTC
   * Contact


FOOTER

 * Privacy Policy
 * Policy and Notices
 * FOIA
 * No FEAR Act
 * Office of Inspector General
 * USA.gov

(link is external)
(link is external)
(link is external)
(link is external)




Play Icon Feedback