CafePress Inc. is hit by a class-action lawsuit following a data security breach which happened in February 2019. The national lawsuit was filed last October 4, 2019, in the United States Court in Illinois. Consumer-rights law firm FeganScott is slated to handle the case.
Based on the press release, CafePress failed to inform affected consumers and users in a timely manner. The company took “almost eight months to stand up and take responsibility for its actions,” said Beth Fegan. The inaction and inappropriate steps taken by the world’s largest gift shop resulted in customer data becoming compromised for months.
The 22-page lawsuit filed by FeganScott alleges that CafePress fell short in informing affected users about the incident. To date, a massive number of individuals amounting to 23 million have been affected. Following the incident, consumers were supposedly forced to should out-of-pocket expenses to verify the status of their finances.
FeganScott law firm aims to represent United States citizens and worldwide customers who have been affected by the data breach.
Forbes reports that third-party providers such as haveibeenpwned.com and weleakinfo.com notified consumers about the breach last July 13, 2019. However, news sites report that unauthorized access to the system dates back as early as February 20, 2019.
Despite early notices to users, CafePress only formally disclosed the issue on October 2, 2019. The company initially claimed notifications regarding the incident as early as September 5, 2019.
The hacking incident left 23,205,290 consumers vulnerable, revealing information such as names, phone numbers, and physical addresses note Forbes. Cybersecurity researcher Jim Scott added that passwords with hashed SHA-1 encryption were also compromised.
Other compromised data includes credit card numbers, credit card expiration dates, and Social Security numbers. Tax identification numbers were also found on the roster of vulnerable information.
Failure to Protect Consumers
The lawsuit filed by FeganScott blames the company for failing to protect its customers in a number of ways. Apart from reportedly forgetting to update its security software in place, it also overlooked password protection protocols, says Infosecurity Magazine.
CafePress attempted to hash and encrypt passwords with Secure Hash Algorithm 1 (SHA-1) as a means of protection. However, industry experts consider SHA-1’s protection unsuccessful, with hackers easily gaining access to passwords.
Besides lacking strong security systems, CafePress is also under fire for attempting to conceal the incident for almost eight months. Instead of notifying customers, Class Action reports CafePress issued a statement on the website details about the incident.