What Happened
In February 2019, the online custom merchandise retailer CafePress suffered a data breach that compromised approximately 22-23 million accounts, exposing customer names, email addresses, passwords, physical addresses, phone numbers, and in some cases full unencrypted Social Security numbers and partial payment card information. A hacker exploited CafePress’s inadequate security practices—including unencrypted data storage, weak password encryption, and lack of intrusion detection procedures—to access the sensitive information, with some data later found for sale on the dark web. The company’s response was heavily criticized: after discovering the vulnerability in March 2019 and receiving a warning from a foreign government in April 2019 about the stolen data, CafePress delayed a full investigation for months and did not notify affected customers until September 2019, initially disguising the breach as a routine password policy update. The FTC subsequently took action against CafePress, resulting in a $500,000 settlement with the former owner and a separate $2 million multistate settlement, requiring the company to implement comprehensive security improvements including encryption, multi-factor authentication, and third-party security assessments.
