Site icon Sophos News

Web vendor CafePress fined $500,000 for giving cybersecurity a low value

CafePress is a web service that lets artists, shops, businesses, fan clubs – anyone who signs up, in fact – turn designs, corporate slogans, logos and the like into fun merchandise they can give away or sell on to others.

The days when you had to put in an order for several hundred coffee mugs (or golf balls, or mousemats, or T-shirts, or hoodies) just to get one with the company name on them are long gone, with even one-off merch orders possible thanks to on-line ordering.

Unfortunately, as the US Federal Trade Commission explained last week in a case report bluntly entitled CafePress, In the Matter of, the company wasn’t up to scratch when it came to looking after the personal data of its customers and signed-up sellers.

According to the FTC, the CafePress service experienced a data breach, discovered and reported in early 2019, that was not acted on promptly or effectively, making the ultimate side-effects of the breach much worse than they ought to have been.

In other words, even though the company was itself the victim of a cybercrime, it has nevertheless been censured and fined for what it did (and didn’t do), both before and after this cybercrime took place.

The breach, says the FTC, saw hackers make off with more than 20,000,000 plaintext email addresses and weakly-hashed passwords; millions of unencrypted names, physical addresses, and security questions-and-answers; more than 180,000 unencrypted SSNs (social security numbers); and, for tens of thousands of payment cards, the last four digits of the card plus the expiry date.

The sloppiness of the company’s followup to this sloppiness led to a plain-talking headline on the government’s own press release: FTC Takes Action Against CafePress for Data Breach Cover Up.

Consent order issued

As part of the FTC’s settlement, known in US parlance as a consent order, the owner of Cafe Press at the time – a company with the quizzical name of Residual Pumpkin – will pay a penalty of $500,000.

Both Residual Pumpkin and the website’s new holding company, Planet Art, will be subject to numerous other conditions, including submitting to security assessments every two years for the next 20 years.

Importantly for any businesses out there that still pay little more than lip service to cybersecurity, the FTC wasn’t unsympathetic to CafePress-the-cybercrime-victim.

But the FTC was deeply critical of CafePress-as-a-21st-century-holder-and processor-of-personal-information.

In particular, the FTC censured CafePress for the following:

Cybersecurity no-nos

The FTC picked up explicitly on cyberseurity and data protection no-nos such as:

https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/

What to do?

1. Treat cybersecurity as a value to be maximised, not merely as a cost to be minimised. Not only your customers but also the regulators expect you to pay more than lip service to cybersecurity these days.

2. Don’t just remove malware and move on. Cleaning up malware files is a necessary part of your recovery process, but you need to look for other side-effects that the malware could have caused while it was active.

3. Always investigate anomalies. Don’t wait until the third time that cybercriminals try to steal from your staff before you take action to figure out what’s going on.

4. Help security researchers to get hold of you easily. The easiest way is simply to add a text file called security.txt that is visible via your main URL, as you will see if you visit https://sophos.com/security.txt.

https://nakedsecurity.sophos.com/2021/09/13/serious-security-how-to-make-sure-you-dont-miss-bug-reports/


If you don’t have the experience or the time to maintain ongoing threat response by yourself, consider partnering with a service like Sophos Managed Threat Response. We help you take care of the activities you’re struggling to keep up with because of all all the other daily demands that IT dumps on your plate.

Not enough time or staff?
Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response  ▶


Exit mobile version