Even though it’s not always apparent, the truth is a human being’s outlook is actually very limited. There are a lot of things that we just cannot cover. Now, such a system isn’t harmful under all circumstances, but when it is, the consequences are often more than devastating. Hence, to have a respectable counter strategy in these situations, the world would set up dedicated regulatory bodies throughout the spectrum. The move instantly raised the accountability levels and made everyone more responsible about their actions. However, it won’t exactly remain a cakewalk. You see, as soon as technology’s takeover becomes inevitable, the regulators’ authority will diminish by a whopping margin. This happened because, all of a sudden, the rule breakers were able to their misdoings without leaving any trace at all. It eventually transitioned into a reality where the world was once again vulnerable beyond every parameter, but fortunately, the coin seems set for another flip. As our regulatory industry continues to expand its tech knowhow, the room for rule breakers is getting shorter and shorter. This has already been validated quite a few times over the recent past, and one more piece of evidence now looks to join the pack.
The Federal Trade Commission has officially charged CafePress with a penalty worth $500,000. The decision follows up on a data breach that hit the merchandise retailer back in 2019, exposing sensitive data of millions of users. If we are talking specific numbers, the breach saw the hackers steal, and then publish personal information of more than 23 million users. This information included email addresses, passwords, unencrypted names, physical addresses, security questions and answers, and more than 180,000 unencrypted Social Security numbers. However, while the breach occurred in February 2019, CafePress notably didn’t disclose any details until September. FTC’s investigation also revealed how the company made no attempt whatsoever at discouraging users from working with same information that was exposed in the hack.
“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “These orders dial-up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”
Beyond the disclosure part, FTC focused at length upon CafePress’ questionable stance on storing of data, which covered topics like keeping customers’ Social Security numbers, storing password reset answers in plain text, and holding on to user data for longer than necessary. The whole case turns even more interesting once you realize that CafePress was facing cybersecurity issues long before the 2019 breach, and yet the company didn’t do anything to curb the risk.
As a part of the settlement, CafePress’ parent owner, PlanetArt is further required to initiate a few measures that will span across introduction of multi-factor authentication, minimizing the amount of data it stores, and encrypting the Social Security numbers.