$500,000 Fine Paid for Not Incorporating Reasonable Security

$500,000 Fine Paid for Not Incorporating Reasonable Security

On February 19, 2019, an attacker managed to breach the network of CafePress, a well-known online t-shirt company. It would be the first of several infiltrations over the week. In the end, the attacker made off with the personal data of more than 22 million customers that included email addresses, names, mailing addresses, phone numbers and passwords. In addition, more than 180,000 Social Security numbers (SSNs) as well as thousands of partial payment card numbers and expiration dates were compromised as well. What makes this attack from over three years ago relevant today is that the FTC just announced their ruling a few weeks ago concerning an investigation that stemmed from a filed complaint against the company. The complaint involved both the original owner of CafePress, Residual Pumpkin, and PlanetArt, who purchased CafePress from Residual Pumpkin in 2020. Upon the findings of their investigation, the FTC said that Residual Pumpkin failed to provide reasonable security for the personal information stored on its network. Some of the reasonable security measures found lacking included the following:

• Residual Pumpkin failed to implement readily available protections that included many low-cost protections against well-known and reasonably foreseeable vulnerabilities that could be exploited to gain unauthorized access to the personal information on its network.

• Residual Pumpkin failed to encrypt stored Personal Information (PI). The investigation found that Social Security numbers (SSN), security questions and answers were stored in plain text.

• Residual Pumpkin failed to use modern secure algorithms when encrypting passwords, instead relying on SHA-1, a hashing algorithm that was deprecated by the National Institute of Standards and Technology (NIST) back in 2011.

• Residual Pumpkin failed to implement patch management policies and procedures to ensure the timely remediation of critical security vulnerabilities and used obsolete versions of database and web server software that no longer received patches.

• Residual Pumpkin failed to delete unneeded user data in a timely manner.

Residual Pumpkin who owned CafePress at the time was internally oblivious of the attack. It wasn’t until March 11 that a third-party security researcher contacted the company, alerting them of what they believed was an attack that took place three weeks prior that exploited a SQL vulnerability within their system. The researcher then demonstrated how the attack probably took place. Residual Pumpkin confirmed the vulnerability but determined that a breach had not taken place. This decision was made after reviewing only two weeks of log files.

Days later, the company started investigating a spike in orders that they suspected were fraudulent. A month later, CafePress reset the passwords of all its accounts, but did not disclose to its customers the reason for doing so. Over the next several months, evidence began to trickle in from multiple sources that the compromised data of CafePress customers was for sale throughout the dark web. Finally, on September 4, 2019, CafePress alerted its customers of the data breach and offered victims two years of prepaid identity theft and credit monitoring.

In addition to the lackluster security measures taken by Residual Pumpkin, the FTC ruled that Residual Pumpkin was guilty of attempting to hide the data breach from the public and its customers. Their password reset proved insufficient as the attackers were still able to take over the involved user accounts. In addition, their failure to adequately respond to multiple reports of the breach resulted in an unreasonable delay in notifying the parties involved. Their lack of action increased the likelihood that the compromised information would be utilized. The FTC ruled that Residual Pumpkin must make a payment of $500,000 to the data victims. This is on top of $750,000 that had already been paid according to an agreement made with the New York Attorney General earlier.

In addition to the settlement, Residual Pumpkin and PlanetArt are required to employ a set of comprehensive data security programs to address the problems that lead to the data breach. Some of these include the implementation of a multifactor authentication (MFA) solution, reducing the retention period for stored data and using modern encryption standards for all personal information. PlanetArt is also required to notify those whose information was compromised and provide additional information on how to protect themselves. In the end, the CafePress incident serves as not only a classic case of failing to enact reasonable security measures, but it also stresses the importance of those purchasing or acquiring other companies to perform their due diligence in cybersecurity study.

Define reasonable security for your working environment. Establish a defensible risk and security program with a Duty of Care Risk Analysis (DoCRA).

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.