The Federal Trade Commission (FTC) took action against an online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach. Users of CafePress complained to the FTC after hackers accessed the information of millions of the platform’s users. Hackers exploited the company’s security failures to obtain the access they need.
According to the FTC’s case, CafePress failed to implement security measures to protect sensitive information. This included plain text Social Security numbers, inadequately encrypted passwords and answers to password reset questions. Due to the lack of security measures, hackers were able to breach the network multiple times. Hackers were able to access:
- Millions of email addresses and passwords with weak encryption
- Physical addresses
- Millions of unencrypted names
- Security questions and answers
- More than 180,000 unencrypted Social Security numbers
- Tens of thousands of partial payment card numbers and expiration dates.
Some of this information was later found for sale on the dark web.
When CafePress was notified of the security vulnerability and that hackers had obtained consumer data they addressed the issue but failed to properly investigate the breach for several months. This was despite additional warnings.
In addition to the breach, it was also found that the company misused consumer’s email addresses. Customers were told email addresses would only be used to fulfil orders. However, CafePress then went on to use them for marketing purposes.
Decision
CafePress will now have to take a number of actions following the settlement agreement:
- Will be required to implement comprehensive information security programs
- This includes replacing inadequate authentication methods, such as:
- Security questions with multi-factor authentication methods
- Minimizing the amount of data they collect and retain
- Encrypting Social Security numbers
- This includes replacing inadequate authentication methods, such as:
- Notify all consumers whose data was accessed as a result of the data breaches
- Provide specific information about how consumers can protect themselves.
- Have a third party assess their information security programs
- Provide the Commission with a redacted copy of that assessment suitable for public disclosure
- Pay $500,000 USD in redress to victims of the data breaches.
The FTC released some advice on data breach prevention following this case. Value Privacy are able to help you to understand exactly what you and your company need to be doing. While more US states are starting to come forward with their own privacy laws the information out there is overwhelming. We offer a team of experts to handle your data and privacy needs. Find out more information or contact us today.