Peter A Clarke

What’s worse, the cover up or the crime?  The answer from the Watergate cover up was emphatically that the cover up was where the real ill lies.  For a lawyer a manageable legal problems becomes a much more serious one when a person or organisation hides evidence of an offence.  So CafePress discovered when the Federal Trade Commission (“FTC”) caught up with it for both data breaches as well as their cover up. 

CafePress failed to secure its clients sensitive information and then tried to cover up the data breach.  The first reports of CafePress being hacked in February 2019 was in August of that year with a number of reports including one by Forbes titled  CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?   The prescient question in that article was”why has it taken so long to find out about the CafePress breach? Good question. An equally good one might be “why have I heard about this breach from HIBP and not CafePress itself?” These are questions that have attracted the attention of the FTC with it seeking a $500,000 fine to redress loss to consumers resulting from the data breach.  As well the owners of CafePress will be required to enter into a 20 year order covering security programs and compliance monitoring.  That is standard practice for the FTC.

The FTC has set out in history and the outcome in its press release which provides:

The Federal Trade Commission today took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach. The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions. The Commission’s proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.

“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”

In a complaint filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged that CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network. In addition to storing Social Security numbers and password reset answers in clear, readable text, CafePress retained the data longer than was necessary. The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents, the complaint alleged. As a result of its shoddy security practices, CafePress’ network was breached multiple times.

According to the complaint, a hacker exploited the company’s security failures in February 2019 to access millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates. Some of the information was later found for sale on the Dark Web.

After being notified a month later that it had a security vulnerability and that hackers had obtained consumer data, CafePress patched the vulnerability but failed to properly investigate the breach for several months despite additional warnings, the complaint alleged. This included a warning in April 2019 from a foreign government, which notified the company that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers. The company, however, withheld this essential information, and instead only told customers to reset their passwords as part of an update to its password policy.

The complaint alleges CafePress did not inform affected customers until September 2019—one month after the breach was reported widely. The company’s lax security practices, however, still left many consumers at risk. For example, the company continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses—the same information that had been previously stolen by hackers.

According to the complaint, CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress determined that certain accounts of shopkeepers had been hacked, CafePress closed the accounts and charged the victims a $25 account closure fee. The company also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.

In addition to its security failures, the FTC alleged the company misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.

As part of the proposed settlement, Residual Pumpkin and PlanetArt will be required to implement comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This includes replacing inadequate authentication measures such as security questions with multi-factor authentication methods; minimizing the amount of data they collect and retain; and encrypting Social Security numbers.

In addition, the proposed settlement requires Residual Pumpkin to pay $500,000 in redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves. Both companies will be required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

CafePress carefully did everything that an organisation should not do when it became aware of vulnerabilities then was affected by a data breach.  It is quite an exceptional example of organisational ineptitude. 

As is usually the case when the regulator starting looking at CafePress’s structure, processes and history it found a litany of mistakes, oversights and incompetence.  That is not surprising.  Poor cyber security practices is not a one off and doesn’t only affect one part of an organisation.  It is usually a symptom of a poor culture, a lack of resources and little interest in security. 

The list of poor practices set out at paragraph 11 of the FTC’s complaint are depressingly familiar.  They are:

a. Respondents failed to implement readily-available protections, including many low-cost protections, against well-known and reasonably foreseeable vulnerabilities, such as “Structured Query Language” (“SQL”) injection, Cascading Style Sheets (“CSS”) and HTML injection, cross-site scripting (“XSS”), and cross-site request forgery (“CSRF”) attacks, that could be exploited to gain unauthorized access to Personal Information on its network;

b. Residual Pumpkin stored Personal Information such as Social Security numbers and security questions and answers in clear, readable text;

c. Residual Pumpkin failed to implement reasonable measures to protect passwords, such as using the SHA-1 hashing algorithm, deprecated by the National Institute of Standards and Technology in 2011, instead of more secure algorithms, and failing to use a “salt”—random data that makes attacks (e.g., brute force, rainbow tables) against cryptographically protected passwords harder;

d. Residual Pumpkin failed to implement a process for receiving and addressing security vulnerability reports from third-party researchers, academics, or other members of the public, thereby delaying its opportunity to correct discovered vulnerabilities or respond to reported incidents;

e. Residual Pumpkin failed to implement patch management policies and procedures to ensure the timely remediation of critical security vulnerabilities and used obsolete versions of database and web server software that no longer received patches;

f. Residual Pumpkin failed to establish or enforce rules sufficient to make user credentials (such as user name and password) hard to guess. For example, employees and consumers, including shopkeepers, were not required to use complex passwords. Accordingly, they could select the same word, including common dictionary words, as both the password and user ID, or a close variant of the user ID as the password;

g. Residual Pumpkin created unnecessary risks to Personal Information by storing it indefinitely on its network without a business need;

h. Residual Pumpkin failed to implement reasonable procedures to prevent, detect, or investigate an intrusion. For example, Residual Pumpkin failed to:

i. log sufficient information to adequately assess cybersecurity events;

ii. properly configure vulnerability testing and scope penetration testing of the network and web application;

iii. comply with its own written security policies; and

i. Residual Pumpkin failed to reasonably respond to security incidents. For example, Residual Pumpkin failed to:

i. timely disclose security incidents to relevant parties, preventing them from taking readily available low-cost measures to avoid or mitigate reasonably foreseeable harm;
ii. adequately assess the extent of and remediate malware infections after learning that devices on its network were infected with malware; and
iii. take adequate measures to prevent account takeovers through password resets using data known to have been obtained by hackers.

These failures are present, to a greater or lesser degree, in many Australian organisations.   While the regulator in Australia is far weaker and more timid than the FTC the consequences of such a breach and cover up for can be significant. 

The reputational damage to CafePress continues with negative publicity not to mention 20 years of costs complying with the consent orders.