Tag Archive for: FTC

FTC Orders Online Retailer CafePress to Improve Security After 2019 Hack

/in


The Federal Trade Commission on Friday ordered online retailer CafePress to strengthen its security measures and pay a $500,000 fine as part of a settlement over a 2019 breach affecting millions of customers’ personal data.

The final order mandates that the e-commerce site minimize its data collection, encrypt users’ Social Security numbers and institute multifactor authentication measures. The company also will have to undergo independent security audits every other year.

The settlement reflects how the agency under Chair Lina Khan has pushed prescriptive measures to curtail alleged data-privacy abuses and security lapses. The Biden appointee has promised to take a more aggressive approach to such issues as part of an expansive regulatory agenda.

The CafePress settlement stems from a February 2019 incident in which a hacker accessed data from the online retailer’s computer systems. The breached information included more than 20 million customer emails and passwords with allegedly inadequate encryption, as well 180,000 Social Security numbers stored in plain text. The FTC alleged that the e-commerce site failed to implement reasonable security protections, retained data longer than necessary and didn’t properly investigate the breach.

The order, finalized Friday, will cover CafePress for the next 20 years, requiring the e-commerce site to also report future cyber incidents to the FTC.

CafePress didn’t admit to wrongdoing as part of the settlement. A representative for PlanetArt LLC, which owns the online retailer, didn’t respond to a request for comment.

Approved unanimously by FTC’s five commissioners, the order comes as the agency’s new Democratic…

Source…

FTC to fine CafePress for cover up of massive data breach

/in


Data breach

The U.S. Federal Trade Commission (FTC) wants to slap the former owner of the CafePress custom t-shirt and merchandise site with a $500,000 fine for failing to secure its users’ data and attempting to cover up a significant data breach impacting millions.

As the consumer protection watchdog explained, CafePress’ former owner, Residual Pumpkin Entity, stored its customers’ Social Security numbers and password reset answers in plain text, and their data longer than necessary.

“As a result of its shoddy security practices, CafePress’ network was breached multiple times,” the FTC said today.

“The Commission’s proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars [PDF consent order here] to compensate small businesses.”

Per the proposed settlement, Residual Pumpkin and PlanetArt (CAfePress’ new owner) will be required to implement multi-factor authentication, minimize the amount of collected and retained data, encrypt Social Security numbers stored on its servers.

The massive February 2019 data breach

Following a February 2019 breach of CafePress’ servers, unknown attackers accessed and later put up for sale on the dark web a throve of information belonging to 23,205,290 users, including:

  • millions of email addresses and passwords with weak encryption; 
  • millions of unencrypted names, physical addresses, and security questions and answers; 
  • more than 180,000 unencrypted Social Security numbers; 
  • and tens of thousands of partial payment card numbers and expiration dates.

CafePress purportedly tried to cover up this massive data breach and did not inform any of the impacted customers until September 2019, one month after BleepingComputer reported the breach.

At the time, CafePress did not respond to BleepingComputer’s queries and did not issue a statement regarding the incident. The only indication that something was wrong was that users were forced to reset their password when logging in (with no mention of the breach).

Failures to report breaches and investigate attacks

CafePress was also aware that it had data security problems even before the 2019 data breach. According to FTC’s complaint, the company…

Source…

App-etite for Notification: FTC Says “Welcome to the Jungle” to Mobile Health App Developers in Policy Statement on Health Breach Notification Rule | Wyrick Robbins Yates & Ponton LLP

/in


Last week’s news that the Federal Trade Commission is taking steps to begin rulemaking on consumer privacy and artificial intelligence drew plenty of attention from privacy professionals, and suggests 2022 could be an interesting year for federal regulation of privacy and data security. But that development is only one of a series of moves the Commission has recently made in this space.  In September, a divided Commission issued a Policy Statement that adopts a surprisingly broad interpretation of the FTC’s existing Health Breach Notification Rule, and suggests the FTC is seeking opportunities to use its existing authority to crack down on mobile health apps’ lax privacy and data security practices.

In that Policy Statement, the FTC takes the position that the Health Breach Notification Rule, which applies to “vendors of personal health records,” covers any mobile app that processes health information and that can draw personal information from multiple sources. The FTC also states that the Rule broadly requires notification of any unauthorized access to consumer health information, including the sharing of a consumer’s health information without the consumer’s authorization.

Mobile health app developers should take careful note of the Policy Statement’s interpretations and assess their offerings’ compliance posture accordingly.

Overview of the Health Breach Notification Rule

The FTC issued the Health Breach Notification Rule in 2009 to impose breach notification requirements on companies that process consumer health information, but are not subject to HIPAA. To that end, the Rule requires a “vendor of personal health records” to notify affected consumers and the FTC whenever  “unsecured [personal health record] identifiable health information [is] acquired by an unauthorized person” as a result of “a breach of security of unsecured [personal health record] identifiable health information.” A “vendor of personal health records” is an entity that (1) is not a HIPAA covered entity or business associate and (2) offers or maintains “personal health records.”

“Personal health records” are in turn defined under the Rule as electronic…

Source…

FTC bans spyware maker SpyFone, and orders it to notify hacked victims – TechCrunch

/in


The Federal Trade Commission has unanimously voted to ban the spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry, the first order of its kind, after the agency accused the company of harvesting mobile data on thousands of people and leaving it on the open internet.

The agency said SpyFone “secretly harvested and shared data on people’s physical movements, phone use and online activities through a hidden device hack,” allowing the spyware purchaser to “see the device’s live location and view the device user’s emails and video chats.”

SpyFone is one of many so-called “stalkerware” apps that are marketed under the guise of parental control but are often used by spouses to spy on their partners. The spyware works by being surreptitiously installed on someone’s phone, often without their permission, to steal their messages, photos, web browsing history and real-time location data. The FTC also charged that the spyware maker exposed victims to additional security risks because the spyware runs at the “root” level of the phone, which allows the spyware to access off-limits parts of the device’s operating system. A premium version of the app included a keylogger and “live screen viewing,” the FTC says.

But the FTC said that SpyFone’s “lack of basic security” exposed those victims’ data, because of an unsecured Amazon cloud storage server that was spilling the data its spyware was collecting from more than 2,000 victims’ phones. SpyFone said it partnered with a cybersecurity firm and law enforcement to investigate, but the FTC says it never did.

Practically, the ban means SpyFone and its CEO Zuckerman are banned from “offering, promoting, selling, or advertising any surveillance app, service, or business,” making it harder for the company to operate. But FTC Commissioner Rohit Chopra said in a separate statement that stalkerware makers should also face criminal sanctions under U.S. computer hacking and wiretap laws.

The FTC has also ordered the company to delete all the data it “illegally” collected, and, also for the first time, notify victims that the app had been secretly installed on their…

Source…