NEW YORK – New York Attorney General Letitia James today announced a $2 million agreement with CafePress to resolve a 2019 data breach that compromised the personal information of approximately 22 million consumers nationwide, including more than one million in New York state. CafePress — an online retailer of stock and user-customized products — failed to take thorough action for months after learning users’ personal information was vulnerable. Attorney General James led a coalition of seven attorneys general in investigating the breach, which compromised consumers’ names, email addresses, passwords, physical addresses, and phone numbers, as well as, in some cases, sellers’ full, unencrypted Social Security or tax identification numbers.  

“New Yorkers have every reasonable expectation to trust that their personal information will remain protected,” said Attorney General James. “CafePress breached that trust by failing to protect consumers and then failing to take immediate action when they learned data was at risk. My office is committed to protecting consumers, which is why we will continue to use every available tool to hold companies accountable when they fail to safeguard personal information.” 

On or before February 19, 2019, an attacker obtained the customer and seller information of approximately 22 million accounts, including 186,179 accounts with a Social Security or tax identification number collected from sellers for tax purposes. Subsequently, a third-party security researcher informed CafePress of a vulnerability attacking a data-driven application. Upon learning of this vulnerability, CafePress reviewed database and webserver logs dating back only two weeks and did not find evidence of a breach. Nonetheless, on March 13, 2019, CafePress issued a patch to remediate the vulnerability. On April 4, 2019, CafePress reset the passwords of all CafePress customer accounts, requiring all users who accessed their account on or after April 4, 2019 to set a new password upon login.

On August 4, 2019, the website “Have I Been Pwned” — a site that allows individuals to check whether their personal information has been compromised — added the email addresses associated with the accounts exposed in the 2019 data breach to its website and notified those users of the breach.

At this point, nearly six months after the intrusion, and close to five months after its first indication of the vulnerability, CafePress finally conducted a full investigation into whether its user database had been breached. During this investigation, CafePress determined that its users’ personal information was available for sale on the dark web.

Starting on September 4, 2019, CafePress began to notify affected customers of the breach. CafePress offered two years of credit monitoring and theft resolution services at no charge to those whose Social Security numbers and/or tax identification numbers were affected by the incident.

As part of today’s agreement, CafePress will make a series of improvements designed to protect consumer personal information from cyberattacks in the future, including:

• Creating a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regular reporting to the CEO concerning security risks;
• Designing an incident response and data breach notification plan that will be required to encompass preparation, detection and analysis, containment, eradication, and recovery;
• Ensuring personal information safeguards and controls — including encryption, segmentation, penetration testing, logging and monitoring, a risk assessment program, password management, and data minimization — are in place;  
• Providing clear notice to consumers concerning account closure and data deletion; and
• Ensuring third-party security assessments take place for the next five years.

PlanetArt, LLC — the company that purchased, substantially, all the assets of CafePress during the pendency of the states’ investigation, and now currently owns and operates cafepress.com — has agreed to all the provisions of this agreement in an effort to protect consumer data.

Pursuant to the agreement, CafePress has agreed to pay a total of $2 million to the multistate coalition. An immediate payment of $750,000 will be divided amongst the states, of which $304,141.55 will go to New York state directly. The remainder of the $2 million payment is suspended based on the company’s financial condition. 

Joining Attorney General James in the investigation and today’s agreement are the attorneys general of Connecticut, Indiana, Kentucky, Michigan, New Jersey, and Oregon.

This matter was handled by Assistant Attorney General Hanna Baek, Deputy Bureau Chief Clark Russell, and Internet and Technology Analyst Joe Graham — all of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.