FTC Takes Action Against CafePress Over Massive Data Breach, Cover-Up
Residence › Audits
FTC Takes Motion In opposition to CafePress Over Large Information Breach, Cowl-Up
By Ionut Arghire on June 27, 2022
Tweet
The Federal Commerce Fee (FTC) on Friday introduced that it has finalized an order towards CafePress, requiring it to enhance its safety posture following a cybersecurity incident that the corporate tried to cowl up.
CafePress is a web-based retailer of merchandise similar to T-shirts, baggage, calendars and mugs, which customers can customise with their very own graphics designs or texts. It additionally permits customers to have digital retailers on the platform.
The FTC order was finalized roughly 4 months after a settlement over the poor cybersecurity practices employed by CafePress, which have led to delicate private info being compromised in an information breach.
The breach got here to mild in 2019 and it reportedly impacted 23 million accounts. Regardless of repeated makes an attempt to get the corporate to take correct motion, CafePress not solely didn’t safe its methods, but additionally determined to not inform impacted clients about this and different cybersecurity incidents.
A grievance was filed towards former CafePress proprietor Residual Pumpkin Entity, LLC, and towards the present proprietor, PlanetArt, LLC. The grievance claims that CafePress retained consumer knowledge longer than wanted, saved Social Safety numbers in plaintext, didn’t safe its methods towards recognized threats, and lined up the 2019 knowledge breach.
On Friday, the FTC introduced that, per its finalized order, Residual Pumpkin and PlanetArt are required to enhance their safety practices by means of the adoption of multi-factor authentication, to reduce the quantity of collected knowledge, and to retailer Social Safety numbers encrypted.
Per the FTC’s order, every of the 2 firms must implement a complete info safety program – “that protects the privateness, safety, confidentiality, and integrity of such Private Info” – inside 60 days after the issuance of the order.
Moreover, each firms are required to have their info safety packages assessed by a third-party and to offer the FTC with a duplicate of the evaluation that may be publicly shared.
Moreover, the FTC ordered Residual Pumpkin to pay $500,000 that can be despatched as aid to the victims of the information breach and requested PlanetArt to inform shoppers whose private info was compromised.
The 2 firms are additionally required to offer the FTC with an annual certification from a senior company supervisor, detailing each their compliance with the order and an outline of any cyber incident that may have occurred in the course of the licensed interval. All incidents ought to be reported to the FTC inside 30 days.
Associated: FTC: Patch Log4j Vulnerability to Keep away from Potential Authorized Motion
Associated: FTC Says Zoom Misled Customers on Its Safety for Conferences
Associated: FTC Settles With Canadian Sensible Lock Maker Over Safety Practices
Get the Each day Briefing
- Most Current
- Most Learn
- Lithuania Says Hit by Cyberattack, Russia ‘In all probability’ to Blame
- NIST Releases New macOS Safety Steerage for Organizations
- Home Passes ICS Cybersecurity Coaching Invoice
- Cerby Emerges From Stealth With Safety Platform for Unmanageable Apps
- FTC Takes Motion In opposition to CafePress Over Large Information Breach, Cowl-Up
- Netsec Goggle Customizes Courageous Search Outcomes to Present Solely Cybersecurity Web sites
- Cyberattack Forces Iran Metal Firm to Halt Manufacturing
- Researchers: Oracle Took 6 Months to Patch ‘Mega’ Vulnerability Affecting Many Programs
- CrowdStrike: Ransomware Actor Caught Exploiting Mitel VOIP Zero-Day
- Black Basta Ransomware Turns into Main Risk in Two Months
On the lookout for Malware in All of the Mistaken Locations?
First Step For The Web’s subsequent 25 years: Including Safety to the DNS
Tattle Story: What Your Pc Says About You
Be in a Place to Act By way of Cyber Situational Consciousness
Report Reveals Closely Regulated Industries Letting Social Networking Apps Run Rampant
2010, A Nice Yr To Be a Scammer.
Do not Let DNS be Your Single Level of Failure
How one can Establish Malware in a Blink
Defining and Debating Cyber Warfare
The 5 A’s that Make Cybercrime so Enticing
How one can Defend In opposition to DDoS Assaults
Safety Budgets Not in Line with Threats
Anycast – Three Causes Why Your DNS Community Ought to Use It
The Evolution of the Prolonged Enterprise: Safety Methods for Ahead Pondering Organizations
Utilizing DNS Throughout the Prolonged Enterprise: It’s Dangerous Enterprise
