Residual Pumpkin Entity, the former owner of online retail platform CafePress, must pay $500,000 in redress under a proposed settlement with the Federal Trade Commission (FTC) announced Tuesday addressing allegations CafePress failed to secure consumers’ sensitive personal data and covered up a data breach.

The FTC alleged in its complaint CafePress failed to implement reasonable measures to protect customer data, storing Social Security numbers and security questions in clear, readable text and retaining data longer than necessary.

“The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents,” according to the FTC.

These lax security practices enabled hackers to access millions of email addresses, passwords, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers—data later found for sale on the dark web, according to the FTC.

In March 2019, CafePress was alerted it had been hacked a month earlier and that customer data was being sold on the web. In response, CafePress “patched the vulnerability but failed to properly investigate the breach for several months despite additional warnings,” the FTC alleged. Affected customers weren’t informed until September 2019, the FTC said.

The agency’s complaint further accused CafePress of knowing it had data security vulnerabilities prior to the 2019 breach. “The company also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks,” the FTC said.

As part of the proposed settlement, Residual Pumpkin and PlanetArt, which bought CafePress in 2020, must implement a comprehensive information security program that includes, among other things, policies and procedures for data minimization and data deletion.

The FTC’s order further requires the companies to replace inadequate authentication measures with multi-factor authentication and encrypt all Social Security numbers on their networks.

Both companies must also have a third party assess their information security programs and provide the FTC with a redacted copy of that assessment for public disclosure.

Lesley Fair, a senior attorney with the FTC’s Bureau of Consumer Protection, shared in a blog post the following compliance lessons from the CafePress settlement:

  • Don’t make it easy for data thieves to steal customer information.
  • Take security warnings seriously.
  • Respond to security episodes honestly, transparently, and quickly.

The FTC voted 4-0 to issue the proposed administrative complaint and accept the consent agreement with the companies. Following a public comment period of 30 days, the agency will determine whether to finalize the agreement.