FTC finalizes order over CafePress security issues

The Federal Trade Commission finalized settlement orders Friday that require online custom merchandise platform CafePress to beef up security and force the company’s former owner to pay half a million dollars to small business owners over allegations it left sensitive information vulnerable then tried to cover up a major breach.

The FTC announced an action in March against former CafePress owner Residual Pumpkin Entity LLC and PlanetArt LLC, which purchased the platform in 2020. In the agency’s complaint, it alleged the company had poor information security practices, including personal information including Social Security Numbers left in plaintext, and a series of cybersecurity incidents. 

CafePress also tried to cover up a major data breach in 2019, the FTC alleged, failing to notify affected customers until a month after it was widely reported. The agency’s commissioner’s voted 5-0 to finalize the orders. 

Representatives for Residual Pumpkin Entity and PlanetArt did not immediately respond to requests for comment.

Per the FTC’s announcement, the comprehensive security programs both companies must now deploy will require them to:

adequate authentication measures with multifactor authentication methods;

Minimize the amount of data they collect and retain:

Encrypt Social Security numbers; and

Have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

Andrea Peterson

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.

Recent Posts

Facebook testing end-to-end encryption as a default on Messenger

Facebook has long been criticized for not using end-to-end encryption as a default option for…

18 hours ago

CISA orders civilian agencies to patch Zimbra bug after mass exploitation

The Cybersecurity and Infrastructure Security Agency added two vulnerabilities found in products from digital collaboration…

20 hours ago

AT&T denies connection to database of 23 million SSNs, says it may be tied to credit agency breach

Telecommunications giant AT&T denied any connection to a database of stolen information that included the…

21 hours ago

U.S. shares photo of alleged Conti suspect, offers $10 million for intel

The U.S. State Department on Thursday said that it was offering a $10 million reward…

21 hours ago

Suspected Tornado Cash developer arrested in Netherlands

Financial crime authorities in the Netherlands announced Friday that they had arrested a 29-year-old man…

1 day ago

NHS working with U.K. cyber authorities to assess ransomware attack on IT vendor

The United Kingdom’s National Health Service said it is working with the country’s National Cyber…

2 days ago