CafePress fined for covering up 2019 customer info leak

Watchdog demands $500,000 after millions of people's info stolen and sold


The FTC wants the former owner of CafePress to cough up $500,000 after the customizable merch bazaar not only tried to cover up a major computer security breach involving millions of netizens, it failed to safeguard customers' personal information.

In a complaint [PDF] filed against CafePress former owner Residual Pumpkin Entity and PlanetArt, which bought the platform in 2020, the FTC alleges multiple instances of shoddy security practices at the online biz. In a settlement proposed by the US watchdog, Residual Pumpkin will pay up the half-million dollars.

The complaint highlighted that in February 2019 criminals stole, and then sold on the dark web, a treasure trove of personal information they found relatively easily on CafePress systems. This data included: more than 20 million unencrypted email addresses and encrypted passwords; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and the last four digits of for tens of thousands of credit cards.

A month later, after being tipped off to the intrusion and that a vulnerability had been exploited, Residual Pumpkin updated its systems — but it didn't notify customers about the break-in nor alert them that their data had been stolen, the FTC alleged. Instead, CafePress told them to change their passwords as part of an updated policy on login credentials.

Meanwhile, posts about stolen customer data and rumors of a privacy breach began appearing on Twitter, Reddit, and Facebook as customers received notifications from monitoring services that their details were unexpectedly in circulation. According to the FTC, CafePress received multiple warnings, including one from a foreign government, that its customer data has been lifted, yet kept quiet.

It wasn't until September 2019 that Residual Pumpkin admitted to government agencies and affected customers that its security had been breached, the complaint states. At the time, the biz told netizens and law enforcement agencies that the password reset back in April would block any further unauthorized use. But according to the FTC, this wasn't true.

Residual Pumpkin continued to allow password resets from the CafePress website by answering security questions associated with the customer's email address — in other words, allowing miscreants to change people's passwords using information stolen in the breach. 

"Thus, until November 2019, anyone with access to the breached data could take over another user's account," the FTC noted.

According to FTC senior attorney Lesley Fair, CafePress also failed to protect against SQL injection attacks, didn't require strong passwords be set by users, didn't have any decent network intrusion detection systems in place, and committed other screw ups.

In proposed settlements with Residual Pumpkin [PDF] and PlanetArt [PDF], the FTC tasked both companies with setting up a "comprehensive information security program" that protects customers' privacy and personal information. This includes, among other things, using multi-factor authentication, encrypting Social Security numbers, and not collecting or maintaining as much customer data.  

The FTC also wants third-party groups to assess these new security programs and report back with an assessment of them. 

Plus, the proposed settlement requires Residual Pumpkin to pay $500,000 to victims of the leak. It also requires PlanetArt to notify folks whose personal information was stolen and provide them with information about consumer protection. These settlement packages must go through a public comment period of 30 days before they are finalized by the regulator's commissioners.

Biden signed cyberattack reporting bill

The FTC action comes as President Joe Biden signed into law a cyberattack reporting requirement for critical infrastructure owners and operators. The legislation requires these entities to report a major cybersecurity incident to Uncle Sam's cybersecurity body CISA within 72 hours and within 24 hours of making a ransomware payment. 

Additionally, a new rule proposed by the US Securities and Exchange Commission would force public companies to publicly disclose cyberattacks within four days, and would start mandating periodic reports about corporation's cyber-risk management plans.

As the threat of cyberattacks from Russia in response to Western sanctions looms, supporters of these types of reporting requirements say they will make the US more cyber resilient. 

In an email to The Register, Illumio CEO Andrew Rubin said it's a "step in the right direction."

"Although it may take time for us to reach national resilience, it's important to remember that decisive action is a win and any action beats entropy," Rubin said, noting that the attackers never stop.

"Right now, the best way to bolster national cyber resilience is to act," he opined. "Federal agencies should shore up their mission-critical assets accordingly: back up data, practice incident response plans, and segment networks." ® 


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading

Biting the hand that feeds IT © 1998–2022