[BreachExchange] Class-Action Lawsuit Filed Against CafePress Following Data Breach

Wed Oct 9 09:51:10 EDT 2019

https://www.infosecurity-magazine.com/news/lawsuit-filed-against-cafepress/

Leading online gift shop CafePress is the target of a proposed
national class-action lawsuit in the United States after allegedly
failing to update its security software and taking months to inform
customers of a data breach.

The retailer was heavily criticized earlier this year for its poor
cybersecurity and incident response after it emerged that 23 million
customers had their personal data stolen in a breach that is thought
to have occurred in February 2019.

Third-party consumer sites, including weleakinfo.com and
haveibeenpwnd.com, were independently warning consumers of the breach
as early as July 13, 2019, but the incident was not officially
reported by CafePress to their customers until last week.

Data exposed by the breach included email addresses, names, physical
addresses, phone numbers, and passwords stored as SHA-1 hashes.

The suit has been filed by consumer-rights law firm FeganScott, which
alleges that CafePress failed to employ best practices when alerting
customers of the data breach. According to the complaint, CafePress’
first notifications appeared on its website on September 5, but the
company did not directly notify its customers until October 2, 2019.

"As galling as it is to know that a national retailer like CafePress
failed in its duty to safeguard consumer information, it is
reprehensible that they knew—or should have known—about the breach and
failed to warn their customers that their credit card information and
Social Security numbers could be for sale to the highest bidder on the
dark web," said Beth Fegan, a founder of FeganScott.

It is further alleged that CafePress failed to offer adequate
protection to its customers by neglecting to update security software
that was widely known to be flawed.

"CafePress allegedly relied on Secure Hash Algorithm 1 (SHA-1) as the
lynchpin of its data security," said Fegan. "Hackers and security
experts know that SHA-1 has been useless in protecting data since
about 2005. These days, SHA-1 is the digital equivalent of a picket
fence when it comes to keeping the wolves from the sheep."

The suit, filed today in US District Court in Illinois, seeks to
represent all US consumers who were impacted by the breach. Consumers
who are interested in learning more about this class-action suit can
contact cafepress at feganscott.com.