$500,000 Fine Paid for Not Incorporating Reasonable Security
On February 19, 2019, an attacker managed to breach the network of CafePress, a well-known online t-shirt company. It would be the first of several infiltrations over the week. In the end, the attacker made off with the personal data of more than 22 million customers that included email addresses, names, mailing addresses, phone numbers and passwords. In addition, more than 180,000 Social Security numbers as well as thousands of partial payment card numbers and expiration dates were compromised as well. What makes this attack from over three years ago relevant today is that the FTC just announced their ruling a few weeks ago concerning an investigation that stemmed from a filed complaint against the company. The complaint involved both the original owner of CafePress, Residual Pumpkin, and PlanetArt, who purchased CafePress from Residual Pumpkin in 2020. Upon the findings of their investigation, the FTC said that Residual Pumpkin failed to provide reasonable security for the personal information stored on its network. Some of the reasonable security measures found lacking included the following:
|IDENTIFY INDICATORS OF COMPROMISE (IOC)|
Residual Pumpkin who owned CafePress at the time was internally oblivious of the attack. It wasn’t until March 11 that a third-party security researcher contacted the company, alerting them of what they believed was an attack that took place three weeks prior that exploited a SQL vulnerability within their system. The researcher then demonstrated how the attack probably took place. Residual Pumpkin confirmed the vulnerability but determined that a breach had not taken place. This decision was made after reviewing only two weeks of log files.
|CONTAINMENT (If IoCs are identified)|
In addition to the lackluster security measures taken by Residual Pumpkin, the FTC ruled that Residual Pumpkin was guilty of attempting to hide the data breach from the public and its customers. Their password reset proved insufficient as the attackers were still able to take over the involved user accounts. In addition, their failure to adequately respond to multiple reports of the breach resulted in an unreasonable delay in notifying the parties involved. Their lack of action increased the likelihood that the compromised information would be utilized. The FTC ruled that Residual Pumpkin must make a payment of $500,000 to the data victims. This is on top of $750,000 that had already been paid according to an agreement made with the New York Attorney General earlier.
In addition to the settlement, Residual Pumpkin and PlanetArt are required to employ a set of comprehensive data security programs to address the problems that lead to the data breach. Some of these include the implementation of a multifactor authentication solution, reducing the retention period for stored data and using modern encryption standards for all personal information. PlanetArt is also required to notify those whose information was compromised and provide additional information on how to protect themselves. In the end, the CafePress incident serves as not only a classic case of failing to enact reasonable security measures, but it also stresses the importance of those purchasing or acquiring other companies to perform their due diligence in cybersecurity study.
Define reasonable security for your working environment. Establish a defensible risk and security program with a Duty of Care Risk Analysis (DoCRA).
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.