The U.S. Federal Trade Commission (FTC) wants to slap the former owner of the CafePress custom t-shirt and merchandise site with a $500,000 fine for failing to secure its users' data and attempting to cover up a significant data breach impacting millions.
As the consumer protection watchdog explained, CafePress' former owner, Residual Pumpkin Entity, stored its customers' Social Security numbers and password reset answers in plain text, and their data longer than necessary.
"As a result of its shoddy security practices, CafePress' network was breached multiple times," the FTC
said today.
"The Commission's proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars [
PDF consent order here] to compensate small businesses."
Per the proposed settlement, Residual Pumpkin and PlanetArt (CAfePress' new owner) will be required to implement multi-factor authentication, minimize the amount of collected and retained data, encrypt Social Security numbers stored on its servers.
