A $500,000 Lesson In Cybersecurity

If you say you’re using email addresses for order notifications, don’t use them for marketing emails, and don’t send marketing materials to customers who declined to check the box that asks for them. These are among the takeaways in the FTC’s recent proposed settlement in the matter of CafePress, as summarized by law firm Fox Rothschild. Also, keep a clean house with regard to data, and don’t hang on to what you don’t need. And the major imperative, always: Don’t delay notifying affected customers after a known breach.

As part of the proposed settlement, CafePress, described as a “customized merchandise platform,” will need to bolster its data security, and its former owners will pay half a million dollars to compensate small businesses that were affected by a breach that occurred in 2019. According to the FTC complaint, a hacker extracted millions of email addresses and passwords, physical addresses, security questions and answers, credit card information, and more than 180,000 social security numbers. Some of that information was later found for sale on the dark web.

The complaint alleges that CafePress was aware it had security problems already a year before the 2019 breach, and it’s response was to close the accounts of the affected shopkeeper clients and charge them a $25 account closure fee. The company is also alleged to have sent out marketing pitches to email addresses after clients were told those addresses would be used only for order-related notifications.