CafePress, the Louisville online retailer of stock and user-customized on-demand products,
suffered a data breach in February affecting 23 million accounts. However customers didn’t learn of the breach until months later – and from third parties.
The breach apparently happened on February 20, exposing email addresses, names, physical addresses, phone numbers, and passwords stored as SHA-1 hashes. CafePress faced criticism for using outdated weak security on user accounts, according to InfoSecurity Magazine.
CafePress didn’t send out its own notifications until last week. It’s unclear why the organization waited so long.
Now a proposed class-action lawsuit has been filed in an Illinois federal court claiming CafePress didn’t follow best practices in alerting affected individuals of the breach. The suit says CafePress also exposed credit card information.
In addition to the notification issue, the lawsuit also says plaintiff customers have a claim over CafePress failing to update its security.
In an interview, one of the lead attorneys, Beth Fegan, who specializes in consumer rights, told InfoSecurity “CafePress allegedly relied on Secure Hash Algorithm 1 (SHA-1) as the lynchpin of its data security. Hackers and security experts know that SHA-1 has been useless in protecting data since about 2005.”
Customer notification is a tricky issue. Regulated industries have deadlines for notifying affected parties, and good customer service does not involve keeping people in the dark when you’ve caused them a problem.
We recommend you develop a plan for handling a data breach – including client notification – before you experience a breach. There are steps you need to take, sometimes in a certain order, that can help you save time and costs in a breach – including the damage of client anger and lawsuits.
If you would like expert help in developing your response plan, contact us for a conversation.