SECURITY
SECURITY
SECURITY
FTC fines CafePress over 2019 data breach coverup
The U.S. Federal Trade Commission has fined online merchandise provider CafePress Inc. $500,000 over a data breach that the company failed to disclose in 2019.
The data breach first came to light in August 2019 after a database of the company’s customer records was found online. The database contained 23,205,290 records, including email addresses, names, phone numbers and physical addresses. About half the records also had encrypted passwords attached, with most of them hashed using an older form of encryption known as “base64 SHA1″ that can be easily cracked.
The hack is believed to have occurred in February 2019. When it was disclosed that the data had been leaked in August, CafePress didn’t confess to having suffered a data breach but instead forced customers to reset their passwords under the guise of a new password policy.
Pretty disingenuous of CafePress to mask a data breach of names, mobiles, and street addresses under a password policy update. pic.twitter.com/t7RUt6pRKH
— darren🌻 (@darrenpauli) August 5, 2019
The FTC was not amused by both the failure to disclose the data breach and the lax security protections employed by CafePress.
The commission alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain-text Social Security numbers, inadequately encrypted passwords and answers to password reset questions.
Along with the $500,000 fine, the FTC also requires CafePress to bolster its data security.
“CafePress employed careless security practices and concealed multiple breaches from consumers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a March 15 statement. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”
Discussing the case, Saumitra Das, chief technology officer and co-founder of agentless cloud security company Blue Hexagon Inc., told SiliconANGLE that organizations need to understand where their data is stored, which data is sensitive and who has access to the data and from where.
“Securing data and its access is as critical as networks, identity and endpoints,” Das said. “Assuming every other defense fails, securing data from being exfiltrated or ransomed is critical. With the increasing usage of cloud storage which surprisingly still happens to be misconfigured all the time, this issue becomes even more prevalent.”
Photo: JJ Merelo/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
