CafePress is a web service that lets artists, shops, businesses, fan clubs – anyone who signs up, in fact – turn designs, corporate slogans, logos and the like into fun merchandise they can give away or sell on to others.
The days when you had to put in an order for several hundred coffee mugs (or golf balls, or mousemats, or T-shirts, or hoodies) just to get one with the company name on them are long gone, with even one-off merch orders possible thanks to on-line ordering.
Unfortunately, as the US Federal Trade Commission explained last week in a case report bluntly entitled CafePress, In the Matter of, the company wasn’t up to scratch when it came to looking after the personal data of its customers and signed-up sellers.
According to the FTC, the CafePress service experienced a data breach, discovered and reported in early 2019, that was not acted on promptly or effectively, making the ultimate side-effects of the breach much worse than they ought to have been.
In other words, even though the company was itself the victim of a cybercrime, it has nevertheless been censured and fined for what it did (and didn’t do), both before and after this cybercrime took place.
The breach, says the FTC, saw hackers make off with more than 20,000,000 plaintext email addresses and weakly-hashed passwords; millions of unencrypted names, physical addresses, and security questions-and-answers; more than 180,000 unencrypted SSNs (social security numbers); and, for tens of thousands of payment cards, the last four digits of the card plus the expiry date.
The sloppiness of the company’s followup to this sloppiness led to a plain-talking headline on the government’s own press release: FTC Takes Action Against CafePress for Data Breach Cover Up.
Consent order issued
As part of the FTC’s settlement, known in US parlance as a consent order, the owner of Cafe Press at the time – a company with the quizzical name of Residual Pumpkin – will pay a penalty of $500,000.
Both Residual Pumpkin and the website’s new holding company, Planet Art, will be subject to numerous other conditions, including submitting to security assessments every two years for the next 20 years.
Importantly for any businesses out there that still pay little more than lip service to cybersecurity, the FTC wasn’t unsympathetic to CafePress-the-cybercrime-victim.
But the FTC was deeply critical of CafePress-as-a-21st-century-holder-and processor-of-personal-information.
In particular, the FTC censured CafePress for the following:
- Misrepresenting the measures it took to protect personal Information.
- Misrepresenting the steps it took to secure consumer accounts following security incidents.
- Failing to employ reasonable data security practices.
- Misrepresenting how it would use email addresses.
- Misrepresenting the company’s adherence to privacy regulations in the US and the EU.
- Misrepresenting its intention to honour data deletion requests by customers and sellers.
The FTC picked up explicitly on cyberseurity and data protection no-nos such as:
- Storing password hashes without salting or stretching, making passwords much easier to crack if a password database gets stolen, as happened in this case.
- Storing password recovery questions and answers in plaintext, making password resets easier for criminals after a breach.
- Continuing to allow those stolen recovery answers to be used for password resets for at least six months after claiming to have fixed that problem.
- Failing to notify users of the breach for several months after it was first reported, and even for several weeks after knowing that stolen customer data was up for sale on the dark web.
- Failing to follow up on malware infection incidents with any sort of threat analysis to see what security holes might have been opened up via that malware.
- Failing to notice the takeover of the the email account of an employee for several months after that staffer had experienced multiple malware incidents.
- Failing to investigate efforts to divert employees’ payroll deposits until the third time this criminal activity was reported.
- Not having any reliable way of receiving and acting on security alerts from bona fide security researchers, customers, or third parties including public sector cybersecurity responders.
- Neglecting to patch against known vulnerabilities, and continuing to use obsolete software that no longer received patches at all.
- Charging users a $25 fee for closing down their accounts in the aftermath of the breach.
What to do?
1. Treat cybersecurity as a value to be maximised, not merely as a cost to be minimised. Not only your customers but also the regulators expect you to pay more than lip service to cybersecurity these days.
2. Don’t just remove malware and move on. Cleaning up malware files is a necessary part of your recovery process, but you need to look for other side-effects that the malware could have caused while it was active.
3. Always investigate anomalies. Don’t wait until the third time that cybercriminals try to steal from your staff before you take action to figure out what’s going on.
4. Help security researchers to get hold of you easily. The easiest way is simply to add a text file called
security.txt that is visible via your main URL, as you will see if you visit https://sophos.com/security.txt.
If you don’t have the experience or the time to maintain ongoing threat reponse by yourself, consider partnering with a service like Sophos Managed Threat Response. We help you take care of the activities you’re struggling to keep up with because of all all the other daily demands that IT dumps on your plate.