FTC Orders Online Retailer CafePress to Improve Security After 2019 Hack

The Federal Trade Commission on Friday ordered online retailer CafePress to strengthen its security measures and pay a $500,000 fine as part of a settlement over a 2019 breach affecting millions of customers’ personal data.

The final order mandates that the e-commerce site minimize its data collection, encrypt users’ Social Security numbers and institute multifactor authentication measures. The company also will have to undergo independent security audits every other year.

The settlement reflects how the agency under Chair Lina Khan has pushed prescriptive measures to curtail alleged data-privacy abuses and security lapses. The Biden appointee has promised to take a more aggressive approach to such issues as part of an expansive regulatory agenda.

The CafePress settlement stems from a February 2019 incident in which a hacker accessed data from the online retailer’s computer systems. The breached information included more than 20 million customer emails and passwords with allegedly inadequate encryption, as well 180,000 Social Security numbers stored in plain text. The FTC alleged that the e-commerce site failed to implement reasonable security protections, retained data longer than necessary and didn’t properly investigate the breach.

The order, finalized Friday, will cover CafePress for the next 20 years, requiring the e-commerce site to also report future cyber incidents to the FTC.

CafePress didn’t admit to wrongdoing as part of the settlement. A representative for PlanetArt LLC, which owns the online retailer, didn’t respond to a request for comment.

Approved unanimously by FTC’s five commissioners, the order comes as the agency’s new Democratic…