Seven states settle with CafePress over 2019 data breach
In August, 2019, this site noted that CafePress had been hacked in February. On October 1, 2019, I shared some of the notification I had received from them via email on September 30 because I found their notification confusing. Yesterday, state attorneys general announced a settlement with CafePress, stemming from the breach.
This is the second settlement this week where a business has been found to have not responded adequately in investigating a breach or vulnerability. Earlier this week, the FTC settled with SkyMed International over an incident in which they had an exposed database, and when notified, simply deleted the database instead of thoroughly investigating logs to determine how many accesses there may have been. Their notification to consumers underplayed the incident.
Now we have states finding that when notified of an SQL injection vulnerability, CafePress only went back two weeks in logs and decided that there had been no breach. Weeks later, they patched and required a password reset, but they never really investigated to see if there had already been a breach earlier. Even when a foreign government alerted them that someone had been found with data that appeared to be theirs, they still did not investigate thoroughly, running a sample of the data and deciding that it did not permit access to any accounts. In July, data was posted for sale on WeLeakInfo. And still nothing. It was only after HaveIBeenPwned added the data and started notifying people that CafePress announced a breach. The assurance of voluntary compliance details the timeline of developments in this case.
Here is the press release from the NYS Attorney General’s Office:
New York Attorney General Letitia James today announced a $2 million agreement with CafePress to resolve a 2019 data breach that compromised the personal information of approximately 22 million consumers nationwide, including more than one million in New York state. CafePress — an online retailer of stock and user-customized products — failed to take thorough action for months after learning users’ personal information was vulnerable. Attorney General James led a coalition of seven attorneys general in investigating the breach, which compromised consumers’ names, email addresses, passwords, physical addresses, and phone numbers, as well as, in some cases, sellers’ full, unencrypted Social Security or tax identification numbers.
“New Yorkers have every reasonable expectation to trust that their personal information will remain protected,” said Attorney General James. “CafePress breached that trust by failing to protect consumers and then failing to take immediate action when they learned data was at risk. My office is committed to protecting consumers, which is why we will continue to use every available tool to hold companies accountable when they fail to safeguard personal information.”
On or before February 19, 2019, an attacker obtained the customer and seller information of approximately 22 million accounts, including 186,179 accounts with a Social Security or tax identification number collected from sellers for tax purposes. Subsequently, a third-party security researcher informed CafePress of a vulnerability attacking a data-driven application. Upon learning of this vulnerability, CafePress reviewed database and webserver logs dating back only two weeks and did not find evidence of a breach. Nonetheless, on March 13, 2019, CafePress issued a patch to remediate the vulnerability. On April 4, 2019, CafePress reset the passwords of all CafePress customer accounts, requiring all users who accessed their account on or after April 4, 2019 to set a new password upon login.
On August 4, 2019, the website “Have I Been Pwned” — a site that allows individuals to check whether their personal information has been compromised — added the email addresses associated with the accounts exposed in the 2019 data breach to its website and notified those users of the breach.
At this point, nearly six months after the intrusion, and close to five months after its first indication of the vulnerability, CafePress finally conducted a full investigation into whether its user database had been breached. During this investigation, CafePress determined that its users’ personal information was available for sale on the dark web.
Starting on September 4, 2019, CafePress began to notify affected customers of the breach. CafePress offered two years of credit monitoring and theft resolution services at no charge to those whose Social Security numbers and/or tax identification numbers were affected by the incident.
As part of today’s agreement, CafePress will make a series of improvements designed to protect consumer personal information from cyberattacks in the future, including:
- Creating a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regular reporting to the CEO concerning security risks;
- Designing an incident response and data breach notification plan that will be required to encompass preparation, detection and analysis, containment, eradication, and recovery;
- Ensuring personal information safeguards and controls — including encryption, segmentation, penetration testing, logging and monitoring, a risk assessment program, password management, and data minimization — are in place;
- Providing clear notice to consumers concerning account closure and data deletion; and
- Ensuring third-party security assessments take place for the next five years.
PlanetArt, LLC — the company that purchased, substantially, all the assets of CafePress during the pendency of the states’ investigation, and now currently owns and operates cafepress.com — has agreed to all the provisions of this agreement in an effort to protect consumer data.
Pursuant to the agreement, CafePress has agreed to pay a total of $2 million to the multistate coalition. An immediate payment of $750,000 will be divided amongst the states, of which $304,141.55 will go to New York state directly. The remainder of the $2 million payment is suspended based on the company’s financial condition.
Joining Attorney General James in the investigation and today’s agreement are the attorneys general of Connecticut, Indiana, Kentucky, Michigan, New Jersey, and Oregon.
This matter was handled by Assistant Attorney General Hanna Baek, Deputy Bureau Chief Clark Russell, and Internet and Technology Analyst Joe Graham — all of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.