Online retailer’s antiquated technology led to breach of over 23 million accounts

CafePress, touted as the world’s largest online gift shop with more than a billion products and a “safe and secure” shopping guarantee, is the target of a proposed national class-action lawsuit by consumer-rights law firm FeganScott, claiming the retailer allowed hackers access to millions of consumers’ credit information.

According to the law firm, CafePress failed to update security software that is widely known as flawed, failed to employ best practices and failed to alert customers of the data breach.

“As galling as it is to know that a national retailer like CafePress failed in its duty to safeguard consumer information, it is reprehensible that they knew – or should have known – about the breach and failed to warn their customers that their credit card information and social security numbers could be for sale to the highest bidder on the dark web,” said Beth Fegan, founder and managing member of FeganScott.

Fegan noted that while CafePress remained mute on the security breach, third-party consumer sites including weleakinfo.com and haveibeenpwnd.com were independently warning consumers of the breach as early as July 13, 2019.

According to the complaint, CafePress’ first notifications appeared on its website September 5, but the company did not directly notify its customers until Oct 2, 2019.

“It took CafePress almost eight months to stand up and take responsibility for its actions, or more precisely, lack of action,” said Fegan.

According the suit, because of CafePress’ actions, consumers are saddled with the responsibility of monitoring their credit, changing passwords and taking other time-consuming steps to safeguard their financial identity.

Fegan added that the economic cost to consumers increases dramatically if identity thieves use the stolen data to target consumers’ bank and credit card accounts.

“We may have become accustomed to news of data breaches, but we’ve seen the impact firsthand when consumers’ data is used in identity theft,” Fegan said. “Consumers find themselves embroiled in trying to set things straight, often dealing with the repercussions for years.”

The suit, filed today in U.S. District Court in Illinois seeks to represent all U.S. consumers who are a part of the breach, estimated at 23 million people in the U.S. and abroad.

According to Fegan, CafePress reportedly had not updated the company’s digital security systems designed to safeguard consumer data.

“CafePress allegedly relied on Secure Hash Algorithm 1 (SHA-1) as the lynchpin of its data security,” Fegan noted. “Hackers and security experts know that SHA-1 has been useless in protecting data since about 2005. These days, SHA-1 is the digital equivalent of a picket fence when it comes to keeping the wolves from the sheep.”

Consumer who are interested in learning more about this class action suit are urged to send their contact information to cafepress@feganscott.com.

