CafePress owners settle with FTC over data breach 'cover up'

2 minute read

Federal Trade Commission headquarters in Washington, D.C. REUTERS/Andrew Kelly

Register now for FREE unlimited access to
  • Hacker exploited the online retailer's security failures in 2019, FTC alleged
  • Agency says CafePress network was breached "multiple times"

March 15 - The U.S. Federal Trade Commission said Tuesday it has taken action against CafePress over security lapses leading to a 2019 data breach, entering into proposed settlements with the online merchandise platform's current and former owners.

The FTC said it filed a complaint against former CafePress owner Residual Pumpkin Entity LLC and current owner PlanetArt LLC, alleging CafePress didn't sufficiently protect consumers' and shopkeepers' personal data collected through its website.

In February 2019, a hacker was able to access more than 20 million unencrypted email addresses and encrypted passwords, and other unencrypted personal information, according to the administrative complaint.

Register now for FREE unlimited access to

The CafePress owner patched the vulnerability but didn't investigate or notify consumers for several months, the FTC said. The company sent notifications in September after the breach was "reported widely," the agency said in a statement.

CafePress' network was breached "multiple times," even before the 2019 incident, as a result of lax security practices, the FTC said. Those included storing Social Security numbers in readable text and holding onto data for too long, the agency said.

Residual Pumpkin would have to pay $500,000 under the proposed settlement to data breach victims, the FTC said in the statement. Both companies would have to put in place certain information security programs.

PlanetArt CEO Roger Bloxberg said in an email that the 2019 breach happened "well before" the company purchased CafePress, but PlanetArt company is "happy to agree" to its role in the settlement. PlanetArt was represented by Bryan Cave Leighton Paisner in the matter.

Lawyers for Residual Pumpkin at Jones Day did not immediately respond to a request for comment.

CafePress separately in December 2020 reached a $2 million settlement with seven state attorneys general over the 2019 breach.

(Updates to add comment from Roger Bloxberg of PlanetArt).

The case is In the Matter of Residual Pumpkin Entity LLC, d.b.a. CafePress and PlanetArt LLC, d.b.a. CafePress

For PlanetArt: James Dudukovich of Bryan Cave Leighton Paisner

For Residual Pumpkin: Jennifer Everett and Kerianne Tobitsch of Jones Day

For the FTC: M. Hasan Aijaz and Matthew Wilshire of the FTC

Register now for FREE unlimited access to

Our Standards: The Thomson Reuters Trust Principles.

Thomson Reuters

Sara Merken reports on privacy and data security, as well as the business of law, including legal innovation and key players in the legal services industry. Reach her at