The U.S. Federal Trade Commission (FTC) has ordered Resiled Pumpkin Entity, the former owner of personalized gift customization e-commerce platform CafePress, to pay a $500,000 fine for its role in a data breach affecting more than 23 million customers and other data security concerns Improper handling.
The Resiled Pumpkin Entity stored its customers’ Social Security numbers and password reset answers in plain text and retained the data longer than necessary, the consumer protection watchdog explained. The company also failed to apply effective protections and respond to security incidents. It also sought to cover up a major data breach caused by its sloppy security measures after its servers were compromised by multiple attacks.
According to the indictment, the data breach occurred in February 2019, when an unknown hacker exploited the company’s security glitch to gain access to:
Millions of weakly encrypted email addresses and passwords;
Millions of unencrypted names, physical addresses, and security questions and answers;
Over 180,000 unencrypted Social Security numbers;
Tens of thousands of credit card numbers and expiration dates.
Some of the above data was later found for sale on the dark web.
CafePress allegedly attempted to cover up the massive data breach and made no statement about the breach. Affected individuals were not notified until September 2019. The only indication of a problem at the time was letting users reset their passwords when logging in (no data breach mentioned). And, the company’s lax security measures still put many consumers at risk. For example, the company still allowed users to reset passwords on websites through security questions after the incident, information that had been stolen by hackers.
CafePress knew it had data security issues even before the 2019 data breach. According to the FTC’s complaint, the company has long since discovered that some of its store owners’ accounts have been compromised since at least January 2018. Instead of telling victims the truth, CafePress closed their accounts and charged everyone a $25 account closure fee.
Under the finalized order, in addition to paying a $500,000 fine, Resiled Pumpkin Entity and PlanetArt (the new owners of CAfePress) were also required to implement a comprehensive information security plan, including implementing multi-factor authentication, minimizing the collection and The amount of data retained, and all stored social security numbers are encrypted.
With frequent news stories about ransomware attacks and enterprises being targeted from all walks of life, cybersecurity is becoming an increasingly critical problem for businesses to address. Regardless of your industry, you must protect your data. Only by keeping corporate data secure can we provide proper protection for consumers and ourselves, as well as assist the smooth operation of enterprises. Virtual machine backup is becoming one of the most used methods of data security. Because it is simple to use and economical, many organizations utilize VMware Backup to protect their data.
