What Happened
In February 2019, custom merchandise platform CafePress suffered a major data breach that exposed approximately 23.2 million records, including millions of email addresses and passwords with weak encryption, millions of unencrypted names, physical addresses, and security questions/answers, more than 180,000 unencrypted Social Security numbers, and tens of thousands of partial payment card numbers. The breach resulted from CafePress’s failure to implement reasonable security measures, including storing Social Security numbers and password reset answers in plain text, retaining data longer than necessary, and failing to protect against known threats. After being notified of the breach in March 2019, CafePress delayed its response for several months despite warnings from a foreign government that stolen data was being sold on the dark web, and did not inform affected customers until September 2019. In response, the Federal Trade Commission announced a proposed settlement in March 2022 requiring the former owner, Residual Pumpkin Entity, to pay $500,000 in redress to affected individuals, while the new owner PlanetArt was required to implement comprehensive information security programs and notify consumers.
