CafePress, an online retailer that sells customized T-shirts, mugs, wall clocks, calendars and other products was in news last year for failing to protect sensitive details of its customers in a data breach that occurred in Feb 2019 and that includes 23 million unique email addresses, physical addresses, contact numbers, passwords, credit card details and social security & tax numbers stored in an unencrypted form on the database.
As the company completely failed to protect the information of its customers, the Attorney General William Tong announced that the online retailer will pay a $2 million as settlement out of which $750,000 will be divided amongst the states, of which those living in Kentucky is said to receive $64,168
The announced amount is the penalty amount to be paid by CafePress to different states as it failed to secure information related to millions of its customers, including many in Kentucky.
The company will also revamp its Cybersecurity measures to create incident response plan, data breach notifications, containment and recovery provisions along with threat monitoring solutions.
CafePress will also implement certain data protection standards like encryption and 2FA and will involve penetration testing, logging and monitoring risks, password management and data minimization measures to protect its customers’ information from hackers. A free 2 year credit monitoring service was offered by the retailer to those whose social security numbers were compromised in the incident that was disclosed in Sept’19.
Note –In September 2020, Snapfish owned CafePress has been acquired by PlanetArt.
Source: https://www.cybersecurity-insiders.com/cafepress-to-pay-2-million-settlement-for-2019-data-breach/