FTC Orders Company to Pay $500K After Data Breach ‘Cover Up’

E-commerce platform CafePress must pay $500,000 to small businesses and “bolster” its data security practices after it allegedly failed to “secure consumers’ sensitive personal data and covered up a major breach” in 2019, the FTC said Tuesday. The commission voted 4-0 to approve the agency’s complaint. It alleged CafePress, an online customized merchandise platform, “failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions.” The complaint was filed against former owner Residual Pumpkin Entity and PlanetArt, which bought the company in 2020. Future violations against the FTC’s order carry civil penalties of up to $46,517 each. The company didn’t comment.