CafePress is a web service that allows artists, stores, businesses, fan clubs (in fact, anyone who signs up) to turn designs, slogans, logos, and the like into fun products that they can give away or sell to others.
Gone are the days of having to order several hundred coffee mugs (or golf balls, mouse pads, T-shirts, or hoodies) just to get one with your company name on it. merchandise orders made possible by online ordering.
Unfortunately, as the US Federal Trade Commission explained last week in a case report bluntly titled CafePress, Aboutthe company was not up to the task when it came to taking care of the personal data of its registered customers and vendors.
According to the FTC, the CafePress service experienced a data breach, discovered and reported in early 2019, that was not acted upon quickly or effectively, leading to the ultimate side effects of the breach. much worse than they should have been.
In other words, although the company itself was the victim of a cybercrime, it has been censored and fined for what it did (and did not do), both before and after this cybercrime occurred.
The breach, the FTC says, saw hackers seize more than 20,000,000 plain-text email addresses and weakly encrypted passwords; millions of unencrypted names, physical addresses, and security questions and answers; over 180,000 unencrypted SSNs (Social Security Numbers); and, for tens of thousands of payment cards, the last four digits of the card plus the expiration date.
The company’s failure to follow up on this oversight led to a clear headline in the government’s own press release: FTC takes action against CafePress for data breach cover-up.
Consent order issued
As part of the FTC settlementknown in the American parlance as consent orderthe owner of Cafe Press at the time, a company with the derisive name of Residual Pumpkin – will pay a fine of $500,000.
Both Residual Pumpkin and the new website holding company, planetary artit will be subject to many other conditions, including submitting safety assessments every two years for the next 20 years.
Importantly, for any company still paying little more than lip service to cybersecurity, the FTC was not indifferent to CafePress, the victim of cybercrime.
But the FTC sharply criticized CafePress as a 21st-century owner and processor of personal information.
In particular, the FTC censored CafePress for the following:
- Misrepresent the actions you took to protect personal information.
- Misrepresenting the steps you took to protect consumer accounts after security incidents.
- not be able to use reasonable data security practices.
- Misrepresent how it would be used emails.
- Fake company adherence to privacy regulations in the US and the EU.
- Misrepresent your intention to comply with customer and vendor data deletion requests.
The FTC explicitly referred to cyber security and data protection as:
- Store password hashes without salting or stretching, making passwords much easier to crack if a password database is stolen, as happened in this case.
- Storage of password recovery questions and answers in plain text, making it easy for criminals to reset passwords after a breach.
- Continue to allow those stolen recovery responses to be used for password resets for at least six months after claiming to have fixed that problem.
- Failure to notify users of the violation for several months after it was first reported, and even for several weeks after learning that stolen customer data was for sale on the dark web.
- Not keeping track of malware infection incidents with any kind of threat analysis to see what security holes might have been opened by that malware.
- Not noticing the takeover of an employee’s email account for several months after that staff member experienced multiple malware incidents.
- Failure to investigate efforts to divert employee payroll deposits until the third time this criminal activity was reported.
- Not having any reliable way to receive and act on security alerts. from bona fide security researchers, customers, or third parties, including public sector cybersecurity responders.
- Not applying patches against known vulnerabilities, and continue to use outdated software that no longer received any patches.
- Charge users a fee of $25 for closing their accounts as a result of the violation.
1. Treat cybersecurity as a value to maximize, not simply as a cost to minimize. Not only your customers but also regulators expect you to pay more attention to cybersecurity these days.
2. Don’t just remove the malware and move on. Cleaning malware files is a necessary part of your recovery process, but you should look for other side effects that the malware might have caused while it was active.
3. Always investigate anomalies. Don’t wait until the third time cybercriminals try to steal from your staff before taking action to find out what’s going on.
4. Help security researchers locate you easily. The easiest way is to just add a text file called
security.txt which is visible through its main URL, as you will see if you visit https://sophos.com/security.txt.
If you don’t have the experience or time to maintain ongoing threat response on your own, consider partnering with a service like Threat response managed by Sophos. We help you take care of the activities that you have a hard time keeping up with because of all the other daily demands that IT places on you.