The U.S. Federal Trade Commission (FTC) wants to slap the former owner of the CafePress custom t-shirt and merchandise site with a $500,000 fine for failing to secure its users’ data and attempting to cover up a significant data breach impacting millions. As the consumer protection watchdog explained, CafePress’ former owner, Residual Pumpkin Entity, stored its customers’ Social Security numbers and password reset answers in plain text, and their data longer than necessary.
“As a result of its shoddy security practices, CafePress’ network was breached multiple times,” the FTC said in its announcement: FTC Takes Action Against CafePress for Data Breach Cover Up | Federal Trade Commission
Storing sensitive data such as social security numbers and password reset answers in plain text is not acceptable anymore. Under privacy laws organizations have to protect privacy and thus the data of individuals under all circumstances. Unfortunately many organizations still lack a solid cyber and data security strategy and don’t make use of modern approaches. This will not only result in hefty fines but also in lost consumer trust which might have a long term impact.
Users should be very careful when chosing password reset answers. Besides the fact that this is not considered a good method of authentication and multi factor authentication should always be favoured, consumers should be aware that those answers might be leaked someday. The best approach is to pick random answers and store them alongside your password in a password manager to ensure a leak of this doesn’t affect other accounts or even worse makes your secrets public.