FTC Levied Meager $500K Fine for Data Breach
Dark Web Hackers Infiltrate Poor Security
23 million customers of the CafePress t-shirt company should be fuming right now. Recently, the owner of the merchandising website registered as the Residual Pumpkin Entity was given a slap on the wrist by the Fair Trade Commission (FTC). The meager $500,000 fine levied by the FTC is reported to be the punishment for a monstrous data breach carried out by dark web hackers. Accordingly, the company had failed to implement the proper safety measures to protect the private information of its affected 23 million customers.
Some personal information includes collected Social Security numbers that the Residual Pumpkin Entity failed to protect with encryption methods. The company is accused of maintaining its customers’ password reset responses for explicitly long periods in plain text, which could be easily hacked by criminal hackers.
According to the March 2022 complaint, the organization did not implement safeguards or provided a technical staff to efficiently monitor and resolve security problems. However, what’s more, is the blatant fact that the company’s negligence allows threat actors to launch several hacking attacks on the company’s servers.
In addition, the Cafe Express brand failed to report the attacks on its servers to law enforcement officials, instead, the significant cover up was used to hide the data breach.
Mandated Safety Instructions
For its lax security procedures, a finalized ruling against Residual Pumpkin and PlanetArt (CAfePress’ new owner) was mandated in the amount of $500,000. The company was forced to establish multi-factor authentication, and safeguard the Social Security numbers of its clients through encryption. Also, future data gathered and stored must be a limited quantity.
Additionally, PlanetArt as a part of the meager settlement must provide safety guidelines to all customers affected by its lax security measures, which attributed to the February 2019 extensive data breach.
The hacks on CafePress’ servers reportedly happens in the early part of 2019, however, criminal hackers have previously gained access to the company’s private database in January 2018. Reportedly, for over a year, the unidentified attackers stole and sold the personal data of 23,205,290 CafePress customers.
Dark Web Markets Sold Stolen Data
With the stolen personal data, the threat actors gained access to millions of passwords and email addresses that were insecurely encrypted. In addition, millions of names, addresses, and security questions that the company failed to encrypt were involved in the hack, which the company disguised from the FTC and other investigative agencies such as the FBI.
In addition, thousands of credit card numbers and expiration dates and more than 180,000 unencrypted Social Security numbers were being sold on several dark web marketplaces to criminal hacking groups. According to the FTC statement, CafePress hid the significant data breach until September 2019, exactly a month after the breach was documented on the BleepingComputer website.
The FTC, in its March 2022 claim, states that CafePress “misled users by exploiting consumer email addresses for marketing despite its claims that such information would only be used to complete orders customers had placed”.