The US Federal Trade Commission has fined online merchandise provider CafePress Inc. $ 500,000 over a data breach that the company failed to disclose in 2019.
The data breach first came to light in August 2019 after a database of the company’s customer records was found online. The database contained 23,205,290 records, including email addresses, names, phone numbers and physical addresses. About half of the records also had encrypted passwords attached, with most of them hashed using an older form of encryption known as “base64 SHA1 ″ that can be easily cracked.
The hack is believed to have occurred in February 2019. When it was disclosed that the data had been leaked in August, CafePress did not confess to having suffered a data breach but instead forced customers to reset their passwords under the guise of a new password policy.
Pretty disingenuous of CafePress to mask a data breach of names, mobiles, and street addresses under a password policy update. pic.twitter.com/t7RUt6pRKH
– darren🌻 (@darrenpauli) August 5, 2019
The FTC was not amused by both the failure to disclose the data breach and the lax security protections employed by CafePress.
The commission alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain-text Social Security numbers, inadequately encrypted passwords and answers to password reset questions.
Along with the $ 500,000 fine, the FTC also requires CafePress to bolster its data security.
“CafePress employed careless security practices and concealed multiple breaches from consumers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a March 15 statement. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, such as multi-factor authentication, to better secureguard personal information.”
Discussing the case, Saumitra Das, chief technology officer and co-founder of agentless cloud security company Blue Hexagon Inc., told SiliconANGLE that organizations need to understand where their data is stored, which data is sensitive and who has access to the data and from where.
“Securing data and its access is as critical as networks, identity and endpoints,” Das said. “Assuming every other defense fails, securing data from being exfiltrated or ransomed is critical. With the increasing usage of cloud storage which surprisingly still happens to be misconfigured all the time, this issue is becoming even more prevalent. ”