FTC finalizes order over CafePress security issues
FTC building (Source: ipse dixit on Unsplash)
Andrea Peterson June 24, 2022

FTC finalizes order over CafePress security issues

Andrea Peterson

June 24, 2022

FTC finalizes order over CafePress security issues

The Federal Trade Commission finalized settlement orders Friday that require online custom merchandise platform CafePress to beef up security and force the company’s former owner to pay half a million dollars to small business owners over allegations it left sensitive information vulnerable then tried to cover up a major breach.

The FTC announced an action in March against former CafePress owner Residual Pumpkin Entity LLC and PlanetArt LLC, which purchased the platform in 2020. In the agency’s complaint, it alleged the company had poor information security practices, including personal information including Social Security Numbers left in plaintext, and a series of cybersecurity incidents. 

CafePress also tried to cover up a major data breach in 2019, the FTC alleged, failing to notify affected customers until a month after it was widely reported. The agency’s commissioner’s voted 5-0 to finalize the orders. 

Representatives for Residual Pumpkin Entity and PlanetArt did not immediately respond to requests for comment.

Per the FTC’s announcement, the comprehensive security programs both companies must now deploy will require them to:

adequate authentication measures with multifactor authentication methods;

Minimize the amount of data they collect and retain:

Encrypt Social Security numbers; and

Have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.