Web provider CafePress fined $500,000 for placing a low value on cybersecurity – Naked Security

Web provider CafePress fined 0,000 for placing a low value on cybersecurity – Naked Security

CafePress is a web service that allows artists, stores, businesses, fan clubs (in fact, anyone who signs up) to turn designs, slogans, logos, and the like into fun products that they can give away or sell to others.

Gone are the days of having to order several hundred coffee mugs (or golf balls, mouse pads, T-shirts, or hoodies) just to get one with your company name on it. merchandise orders made possible by online ordering.

Unfortunately, as the US Federal Trade Commission explained last week in a case report bluntly titled CafePress, Aboutthe company was not up to the task when it came to taking care of the personal data of its registered customers and vendors.

According to the FTC, the CafePress service experienced a data breach, discovered and reported in early 2019, that was not acted upon quickly or effectively, leading to the ultimate side effects of the breach. much worse than they should have been.

In other words, although the company itself was the victim of a cybercrime, it has been censored and fined for what it did (and did not do), both before and after this cybercrime occurred.

The breach, the FTC says, saw hackers seize more than 20,000,000 plain-text email addresses and weakly encrypted passwords; millions of unencrypted names, physical addresses, and security questions and answers; over 180,000 unencrypted SSNs (Social Security Numbers); and, for tens of thousands of payment cards, the last four digits of the card plus the expiration date.

The company’s failure to follow up on this oversight led to a clear headline in the government’s own press release: FTC takes action against CafePress for data breach cover-up.