Data breach prevention and response: Lessons from the CafePress case
Many small businesses go to online retailing platform CafePress when they want to buy or sell customized items. However, according to a proposed FTC settlement, the company’s lax security practices allowed data thieves to take the idea of “personalization” in a disturbingly different direction. The complaint alleges that hackers exploited the company’s security failures to access personal information about millions of CafePress users – including home addresses, email addresses, passwords, security questions and answers, more than 180,000 unencrypted Social Security numbers, and partial payment card data from thousands of people. It’s particularly troubling that some of that information was later found for sale on a far more nefarious online platform – the Dark Web.
Although CafePress told customers that “100% complete security does not presently exist anywhere online or offline,” the company also touted that “our servers are secure” and that it “pledges to use the best and most accepted methods and technologies to insure your personal information is safe and secure.” On the checkout pages, it went so far as to say “Safe and Secure Shopping. Guaranteed.”
Where does the FTC say CafePress went wrong? According to the complaint, here are just some examples of the company’s questionable data practices:
- CafePress stored Social Security numbers and security Q&As in clear, readable text, and kept personal information indefinitely on its network without a business need;
- CafePress didn’t put readily-available protections in place against well-known vulnerabilities like Structured Query Language (SQL) injection attacks;
- CafePress failed to take reasonable steps to protect passwords and didn’t require users to create complex ones that would be harder to guess;
- CafePress failed to implement reasonable procedures to prevent, detect, or investigate intrusions on its network; and
- When CafePress experienced security episodes, it failed to respond reasonably.
You’ll want to read the complaint for details about multiple security incidents. But here’s the backstory about just one such episode – and the timeline is important here. According to the FTC, a person contacted CafePress in March 2019, revealing that the company had been hacked the month before and that its customer data “is currently for sale in certain circles.” The company confirmed the breach and installed a security patch, but remained mum about the matter. It required returning customers to reset their passwords, but chalked it up to an updated password policy.
In the ensuing months, the company received multiple alerts from individuals and a foreign government, including a warning that its customer data was for sale on the Dark Web. In addition, third-party monitoring services began to alert CafePress customers that their data had been hacked. It wasn’t until September 2019 – six months after CafePress was first told of the breach – that the company sent breach notifications to government agencies and affected customers.
In addition to the typical injuries that breaches impose on people, this breach took a particularly nasty turn when scammers used passwords in extortion attempts. Crooks sent emails to consumers, claiming they had obtained damaging personal information by hacking into the person’s computer and would release it unless paid in bitcoin. To add credibility to their claims, the scammers included the consumer’s recovered password in the extortion message.
The complaint alleges additional ways that small businesses and consumers were harmed by that breach and other security episodes. For example, in an earlier incident, the company learned that the accounts of certain “shopkeepers” – small businesses or individuals who sold items on CafePress – had been hacked. In a response that may define the phrase “adding insult to injury,” the company shut down those accounts and then charged each account holder a $25 closure fee. In other instances, the FTC alleges that the company withheld payable commissions from shopkeepers who accounts were closed due to a security breach.
The six-count complaint names Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020. Among other things, the lawsuit alleges that the company misrepresented its data security practices, engaged in unfair security practices, and failed to take appropriate steps to secure accounts following security incidents.
The proposed settlement required the company to pay $500,000 in redress and to send notices to consumers telling them about the breach and the FTC settlement. The proposed order includes a number of other provisions that merit careful attention. For example, the order requires the company to replace any authentication methods that use security questions and answers with multi-factor authentication methods. The order also mandates that the company put in place and maintain an Information Security Program that includes (among other things) policies and procedures for data minimization and data deletion. That program must require the encryption of all Social Security numbers on the company’s networks – a particularly important protection because the company collects SSNs from small businesses for tax reporting purposes. And in addition to submitting third-party security assessments with the FTC, the company must provide redacted versions suitable for public disclosure. Once the proposed order is published in the Federal Register, the FTC will receive public comments for 30 days.
The case suggests more compliance nuggets than can be summarized here, but these may be the top three.
Don’t make it easy for data thieves to steal customer information. Hack happens, but there are numerous, cost-effective steps companies can take so their networks aren’t low-hanging fruit. The FTC offers to-the-point guidance on data security fundamentals, with special cybersecurity resources for small businesses.
Take security warnings seriously. If customers, government agencies, or others are telling you that you may have been hacked, investigate immediately.
Respond to security episodes honestly, transparently – and quickly. If your company has experienced a breach, respond with candor and speed. Move swiftly to implement a rapid response plan that honors your obligations under federal and state law. Read Data Breach Response: A Guide for Business for advice on how to secure your operations, fix vulnerabilities, and contact the people who need to know.
