On March 15, 2022, the Federal Trade Commission (FTC) announced a proposed settlement with custom merchandise platform CafePress in connection with the company’s alleged failure to implement reasonable security measures, and its alleged attempt to cover up a 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to affected individuals.

In its complaint, the FTC alleged that CafePress failed to implement reasonable security measures to protect the personal information of consumers and merchants stored on its systems. The FTC specifically alleged that CafePress stored Social Security numbers and password reset answers in plain text, retained data longer than necessary, failed to protect against known threats, and failed to adequately respond to security incidents.

In 2018, CafePress allegedly determined that certain merchant accounts had been breached, a number of company servers were infected with malware, and multiple CafePress employees were targeted by phishing attempts. The FTC alleged that, despite having this knowledge, CafePress failed to take reasonable steps to detect, remediate, and prevent similar incidents.

The complaint further alleged that, in 2019, a threat actor exploited CafePress’s security vulnerabilities to access millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates. Some of this data was later found for sale on the dark web.

When later notified of the breach, CafePress allegedly patched the vulnerability, but failed to properly investigate the breach for several months despite a foreign government warning the company that a threat actor had sold affected CafePress data. According to the complaint, CafePress only told customers to reset their passwords as part of an update to its password policy. The FTC alleged that CafePress did not inform affected customers until September 2019—one month after the breach was reported widely. The complaint further alleged that CafePress continued to engage in lax security practices and misled consumers about its use of consumer data for marketing purposes.

As a part of the proposed settlement, Residual Pumpkin, the former owner of CafePress, would be required to pay $500,000 to affected individuals. PlanetArt, the company’s new owner, would be required to notify affected individuals, as well as implement a comprehensive information security program. Both companies would be subject to third-party assessments of their information security programs.