Headsup: Cafe Press security breach 2019

[jackarabit]

In my email 4 July

Notice of FTC Settlement - 2019 Data Breach
Mon, Jul 4, 2022 9:43 pm
CafePress (info@ftcnotice.cafepress.com)


To:you Details


Dear Valued Customer,

We are contacting you about the 2019 breach of your information collected by the prior owners of CafePress. This notice is about that breach, which you may have already been notified of. We recently reached a settlement with the Federal Trade Commission, the nation's consumer protection agency, to resolve issues related to the 2019 data breach, and to make sure CafePress keeps your information safe.

What happened?

Before November 2019, CafePress didn't have reasonable practices to keep your information safe. When the company had a security breach, the following information about you may have been stolen: your email address, password, name, address, phone number, answers to your security questions, and the expiration date and last four digits of your credit card.

What you can do to protect yourself

Here are some steps to reduce the risk of identity theft and protect your information online:

1. Use different passwords for different accounts. That way, if one account is hacked or has a data breach, your other accounts will be safer. And if you've reused your CafePress password or security questions on other websites, be sure to change them right away.

2. Consider a password manager. These are apps that store and manage strong, unique passwords and security questions for all the sites you use. Search independent review sites to find a free or paid password manager that works for you.

3. Use multi-factor authentication when it's an option. Multi-factor authentication can help secure your account by requiring two or more ways to verify it's you before granting access to your account. This security feature makes it much harder for people to take advantage of stolen passwords or answers to security questions.

4. Learn more from the Federal Trade Commission at https://www.ftc.gov/data-breach-resources or at https://www.IdentityTheft.gov.

If you have any questions or concerns, please contact us at support@CafePress.com, at 1.844.988.0030 or reply to this email. Learn more about the settlement at https://www.ftc.gov/news-events/news/pr ... each-cover.


Sincerely,

Chris Klingebiel
General Manager, CafePress

Anyone who has ordered Concept 2 challenge buttons, souvenirs or apparel in the past will be thrilled to hear of a personal data breach coverup three yrs. AFTER it occurred! Anyone considering ordering from CafePress in future should closely assess the risk of ordering from new ownership!

[Dangerscouse]

Three years ago!!!!! Words fail me....

[jackarabit]

Stu, the FTC.govt link near bottom fleshes out the story. Prolly the merch tie-in to C2 is normally less enticing to folks from over the pond as no doubt postal rates (already high cost to weight ratio as shipped by CafePress to Conus addresses) would be prohibitive overseas. For those definitely not Merseyside, the dilatory performance of US regulatory agencies is a bit worrisome.

[Tsnor]

... For those definitely not Merseyside, the dilatory performance of US regulatory agencies is a bit worrisome.

Usual US gov process is to allow private parties to sue the snot out of people who do stupid things rather than attempt to catch them. The fear of lawsuit / class action etc. seems to work better than fear that the government will discover something.

In the specific case of Cafe Press (assuming this is the same incident)...

CafePress obtains complete dismissal of putative nationwide class action relating to data breach

Jones Day obtained a complete dismissal of a putative nationwide class action arising from an alleged data breach on behalf of CafePress Inc. (now known as Residual Pumpkin Entity, LLC). In the complaint, the plaintiff alleged claims for common law negligence and violations of various Illinois state statutes. CafePress moved to dismiss all the plaintiff’s claims, arguing, among other things, that the plaintiff lacked Article III standing because he failed to establish that any sensitive personal information belonging to the plaintiff was actually compromised.

[jackarabit]

Tsor writes:

The fear of lawsuit / class action etc. seems to work better than fear that the government will discover something.

“Captive” regulatory agencies are notorious for hamstringing or neglecting agency powers of oversight and investigation. Info of CP customers found in the internet sewer but the plaintiff found to lack standing? Class action suits are workfare for lawyers. Ya gotta luv the caveat emptor advice from the new owner! LLC should be altered to NLC. How many rats can hide in a residual pumpkin entity?

[jackarabit]

https://www.ftc.gov/news-events/news/p ... security-0

Screenshot from link above (24 June 2022) detailing terms of settlement between US FTC and Cafe Press in matter of 2019 customer data hack.



Looks that the Federal Trade Commission has successfully put a bit of stick about and achieved compliance by Cafe Press in creation of reasonable safeguards for customer information in future and funded compensation of injured parties.