Let’s face it; mistakes happen.
But, when those mistakes are compounded by ignorance, laziness, and deceit, the results are even worse.
Following a series of cybersecurity failures, this was the harsh lesson learned by one large online retailer.
After suffering a data breach, CafePress now faces a $500,000 fine, and must submit to FTC security assessments every two years for the next 20 years.
Why? Because not one did they fail to secure data; they also covered up the incident.
For good reason, cybersecurity is one of the most important aspects of the modern business world.
Let’s take a look at the problems facing businesses today, and what led to this major fine in particular.
Government Warnings on Cybersecurity Failures
Cyberattacks continue to cause concern for the millions of companies that conduct business online.
And, it’s not just the business’s data that’s at risk when cybersecurity failures arise.
Data from your clients, your vendors, your partners, and more, can all be exposed when a breach occurs. That’s a major part of the reason CafePress was fined $500K.
Now, as the situation in Ukraine continues, the White House warns of possible Russian cyberattacks against U.S. critical infrastructure.
Unfortunately, such attacks are less likely than ever to be covered by cybersecurity insurance.
Making matters worse, from 2020 to 2021, attacks increased 50%.
Additionally, the FBI revealed that cybercrime victims lost over $6.9 billion, while the average organization receives 925 cyberattacks per week.
At this point, cybersecurity failures simply aren’t acceptable.
The White House strongly recommends cybersecurity improvement for critical U.S. infrastructure, such as emergency services, energy, healthcare, and transportation.
The White House further recommends an IT improvement checklist for all businesses, including:
- Educate employees of common attack tactics, and to report unusual computer behavior
- Encrypt data to prevent cybersecurity failures
- Engage with local FBI and CISA offices proactively, and pull resources from CISA and FBI
- Ensure data backup and offline backup copies
- Multi-factor authentication
- Modern proactive endpoint protection
- Patch & update systems, or enact controls to counter vulnerabilities
- Proactively change all network passwords to eliminate the threat of stolen credentials
- Run table-top exercises and conduct drills of emergency plans
Separately, the SEC proposed that material data breaches and cybersecurity incidents be publicly reported within four days of the incident.
While initially only applicable to public companies, the new Cyber Incident Reporting Act requires critical infrastructure companies in 16 industry sectors to report attacks to CISA within 72 hours, or within 24 hours of a ransomware payment.
What CafePress Did Wrong, and How to Avoid the Same Fate
The Federal Trade Commission (FTC) fined CafePress $500K for sloppy data security practices – and for lying.
In their report, they found CafePress consistently misrepresented how:
- Personal information was protected
- Consumer accounts were secured following security incidents
- Email addresses were used
- Privacy laws were handled
- The organization handled deletion requests by customers and sellers
The FTC cited CafePress’s sloppy security practices as failure to:
- Enable a reliable way to receive and act on security alerts
- Follow up on malware infection incidents
- Investigate efforts to divert employee payroll – until after the third attempt
- Notice account takeover of employee email addresses for several months
- Patch against known vulnerabilities
- Store password hashes with ‘salting’ or ‘stretching’
- Store password recovery questions and answers securely (they were stored in plaintext)
The FTC also noted extreme delays in CafePress incident response processes:
- Allowing stolen recovery answers to be used for password resets six months after knowing about the breach and lying about fixing the problem
- Failure to notify users of the breach for several months after it was publicly reported
Adding insult to injury, the FTC noted that CafePress even charged customers a $25 fee to close breached accounts.
The FTC issued the fine and requires oversight for security testing, largely because none of these violations should have been difficult to fix.
First, lies and privacy violations are simply inexcusable.
Creating, adopting, and enforcing written policies help align policies and practices for data protection, use of personal information, privacy compliance, and data deletion.
Second, the sloppy security practices could be easily solved by:
- Enabling encryption: data storage, password data (with salting), security questions, etc.
- Monitoring for potential breach or fraud (email issues, irregular activity, payroll fraud, etc.)
- Monitoring security alerts and having a process to investigate on a timely basis
- Regular patching and software updates
- Responding quickly to an incident and communicating clearly
Take Control of Your Cybersecurity
Cyberattack risks and potential losses are on the rise.
And, if you don’t handle an incident correctly, you could end up punished even more.
Don’t let cybersecurity failures leave you blindsided.
Monitor your systems for improper activity, use data encryption whenever possible, and maintain strong, written policies for how to handle security situations.
When possible, consider tools like multi-factor authentication or password managers to keep your accounts safe from prying eyes.
For some, the solutions for CafePress’s poor practices might sound difficult or out of reach for their current resources.
Fortunately, those resources can be easily and affordably expanded.
Contact Ideal Integrations and Blue Bastion at 412-349-6680, or explain your concerns in the form below, and our security experts will offer a no-obligation overview and explanation of potential solutions.