On Sept. 29, 2019, Cafe Press notified its users of a data breach which seems to have occurred on February 19, 2019. Below is the company’s summary of what happened:
“CafePress recently discovered that an unidentified third party obtained customer information, without authorization, that was contained in a CafePress database. Based on our investigation to date, this may have occurred on or about February 19, 2019. ” In its email, Cafe Press made no mention of the size of the data loss, which affected 23 million users worldwide.
It is interesting to note that the technology-oriented media outlets reported on this in early August, as this Forbes article shows. However, Cafe Press did not alert its users for nearly two months after the breach was made public. The blog Latest Hacking News was more direct about this notification lapse by Cafe Press, calling attention to it by titling their article about the breach “CafePress.com Suffered Data Breach Affecting 23M Accounts – No Official Disclosure Yet!”
Cafe Press has not offered any explanation for the lack of clarity on the size of the data loss, or for the delay in notifying users. We can speculate that one reason may be obtaining all the corpcomm, legal and organizational sign-offs needed when publishing a notification of this nature, which will be seen by users and regulators worldwide.
Typically, the press notifies the public first about data breaches. Historically, public-facing internet sites that report on breaches, such as haveibeenpwned.com and weleakinfo.com as well as various hacking subreddits, frequently receive information about a breach first. Tech media then picks up the story. Eventually the story gathers enough “legs” that the public at large starts hearing about it.
It is also true that companies wisely exercise discretion about making public announcements. Litigation is a serious threat to any company, and public disclosures may be used against it later. A company which has been breached generally delays notifying customers until it is sure of the facts, and has the technology situation stabilized. Since a third party was involved in this incident, Cafe Press likely has been dealing with contractual issues with the other party. There may also be legal and regulatory steps to complete prior to public notification. Discretion in making public announcements makes sense, from the risk, legal, and reputation management perspectives.
It is important to note that this breach is a PII data loss incident, because, as the company further explained in its email, the data was actually stolen (lost), by a third party (again, a third-party breach), and “may have included your name, email address, the password to your customer CafePress account, and other information.” Or in other words, personally-identifiable information (PII).
This is a serious incident, and resolving it will be complex, not only because of the type of data lost and the number of users, but also because the scope includes people in countries with laws that strictly protect privacy. It will be interesting to see how Cafe Press handles this moving forward, and how the EU and other regulating bodies approach the incident.
One thing is clear about this data loss incident: Many, many eyes now are focused on it. And, while we don’t know much about this incident yet, already, people are pushing Cafe Press to clarify just how this happened. Stay tuned; this is a developing story.
Who is Shore Cybersecurity LLC?
Cybersecurity, technology, vendor management, risk management, and privacy consultant. We help small and medium business (SMB) using a patent-pending methodology to solve cybersecurity problems with maximum effect and lowest cost. Risk-free NO COST 30-minute consult. Contact us today to learn more.