The FTC wants the former owner of CafePress to cough up $500,000 after the customizable merch bazaar not only tried to cover up a major computer security breach involving millions of netizens, it failed to safeguard customers’ personal information.
In a complaint [PDF] filed against CafePress former owner Residual Pumpkin Entity and PlanetArt, which bought the platform in 2020, the FTC alleges multiple instances of shoddy security practices at the online biz. In a settlement proposed by the US watchdog, Residual Pumpkin will pay up the half-million dollars.
The complaint highlighted that in February 2019 criminals stole, and then sold on the dark web, a treasure trove of personal information they found relatively easily on CafePress systems. This data included: more than 20 million unencrypted email addresses and encrypted passwords; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and the last four digits of for tens of thousands of credit cards.
A month later, after being tipped off to the intrusion and that a vulnerability had been exploited, Residual Pumpkin updated its systems — but it didn’t notify customers about the break-in nor alert them that their data had been stolen, the FTC alleged. Instead, CafePress told them to change their passwords as part of an updated policy on login credentials.
Meanwhile, posts about stolen customer data and rumors of a privacy breach began appearing on Twitter, Reddit, and Facebook as customers received notifications from monitoring services that their details were unexpectedly in circulation. According to the FTC, CafePress received multiple warnings, including one from a foreign government, that its customer data has been lifted, yet kept quiet.
It wasn’t until September 2019 that Residual Pumpkin admitted to government agencies and affected customers that its security had been breached, the complaint states. At the time, the biz told netizens and law enforcement agencies that the password reset back in April would block any further unauthorized use. But according to the FTC, this wasn’t true.
Residual Pumpkin continued to allow password resets from the CafePress website by answering security questions associated with the customer’s email address — in other words, allowing miscreants to change people’s passwords using information stolen in the breach.
“Thus, until November 2019, anyone with access to the breached data could take over another user’s account,” the FTC noted.
According to FTC senior attorney Lesley Fair, CafePress also failed to protect against SQL injection attacks, didn’t require strong passwords be set by users, didn’t have any decent network intrusion detection systems in place, and committed other screw ups.
In proposed settlements with Residual Pumpkin [PDF] and PlanetArt [PDF], the FTC tasked both companies with setting up a “comprehensive information security program” that protects customers’ privacy and personal information. This includes, among other things, using multi-factor authentication, encrypting Social Security numbers, and not collecting or maintaining as much customer data.
The FTC also wants third-party groups to assess these new security programs and report back with an assessment of them.
Plus, the proposed settlement requires Residual Pumpkin to pay $500,000 to victims of the leak. It also requires PlanetArt to notify folks whose personal information was stolen and provide them with information about consumer protection. These settlement packages must go through a public comment period of 30 days before they are finalized by the regulator’s commissioners.
Biden signed cyberattack reporting bill
The FTC action comes as President Joe Biden signed into law a cyberattack reporting requirement for critical infrastructure owners and operators. The legislation requires these entities to report a major cybersecurity incident to Uncle Sam’s cybersecurity body CISA within 72 hours and within 24 hours of making a ransomware payment.
Additionally, a new rule proposed by the US Securities and Exchange Commission would force public companies to publicly disclose cyberattacks within four days, and would start mandating periodic reports about corporation’s cyber-risk management plans.
As the threat of cyberattacks from Russia in response to Western sanctions looms, supporters of these types of reporting requirements say they will make the US more cyber resilient.
In an email to The Register, Illumio CEO Andrew Rubin said it’s a “step in the right direction.”
“Although it may take time for us to reach national resilience, it’s important to remember that decisive action is a win and any action beats entropy,” Rubin said, noting that the attackers never stop.
“Right now, the best way to bolster national cyber resilience is to act,” he opined. “Federal agencies should shore up their mission-critical assets accordingly: back up data, practice incident response plans, and segment networks.” ®