Cafe Press Fined $500K For Data Breach

This is the sort of story that I like writing about as it illustrates that companies who don’t seriously protect their customer’s data will be held to account. In this case Cafe Press who I’ve written about before has been fined $500,000 for a data breach that affected 23 million customers. You can read about it here, but I’ll hit the highlights for you:

  • Residual Pumpkin and PlanetArt who now own Cafe Press have to implement multi-factor authentication
  • They have to minimize the amount of collected and retained data
  • They have to encrypt all stored Social Security numbers.
  • PlanetArt is being ordered to alert buyers and sellers whose personal info was accessed or stolen during the security breaches and provide them with information on how they can protect themselves

All of this centers around a February 2019 breach of CafePress’ servers where unknown attackers gained access to, stole, and later put up for sale on the dark web personal information belonging to 23,205,290 CafePress users. Then CafePress tried to cover this up until it was reported by Bleeping Computer. And to top it all off, the company knew they had issues but didn’t do anything about it. And they also didn’t investigate any of the attacks. Which makes it pretty clear that dealing with Cafe Press is a bad idea. Though this fine may have them rethink how they handle customer data going forward.

Leave a Reply

%d bloggers like this: