Residual Pumpkin Entity (CafePress)

What happened

The FTC ordered the former owner of CafePress, an online custom merchandise retailer, to pay $500,000 for covering up a major data breach and failing to secure consumers' personal data. In February 2019, a hacker breached CafePress and stole personal information of over 23 million consumers, including Social Security numbers, encrypted passwords, and security questions. The FTC alleged that CafePress failed to implement reasonable security measures, stored Social Security numbers in plain text, used weak encryption for passwords, and retained data far longer than necessary. When the company learned of the breach, it failed to properly investigate, misrepresented the scope of the breach to affected consumers, and did not adequately notify those whose Social Security numbers were exposed.

Articles violated

Lessons learned

Covering up or downplaying data breaches significantly increases regulatory consequences. Social Security numbers and other highly sensitive data must never be stored in plain text. Data retention policies must ensure that data is deleted when no longer needed. Even small e-commerce companies handling customer financial data must implement reasonable security measures. Timely, transparent, and comprehensive breach notification is both a legal requirement and a practical necessity to minimize harm to affected individuals.