#Privacy: CafePress faces class-action lawsuit

CafePress has become the target of a proposed national class-action lawsuit following a data breach exposing more than 20 million accounts. 

The data breach had compromised the records of more than 23 million accounts, including their names, physical addresses, phone numbers and passwords. 

The consumer-rights law firm FeganScott has claimed that CafePress allowed hackers to access the credit information of millions of customers’, as the company failed to update security software. 

“CafePress allegedly relied on Secure Hash Algorithm 1 (SHA-1) as the lynchpin of its data security,” Fegan noted. “Hackers and security experts know that SHA-1 has been useless in protecting data since about 2005. These days, SHA-1 is the digital equivalent of a picket fence when it comes to keeping the wolves from the sheep.”

Additionally the law firm is claiming that the online gift shop failed to employ best practices, and failed to alert customers of the data breach. 

Third-party consumers sites including haveibeenpwned.com and weleakinfo.com were warning customers of the breach from as early as July 13 – whilst CafePress remained mute. 

Beth Fegan, founder and managing member of FeganScott, said: “As galling as it is to know that a national retailer like CafePress failed in its duty to safeguard consumer information, it is reprehensible that they knew – or should have known – about the breach and failed to warn their customers that their credit card information and social security numbers could be for sale to the highest bidder on the dark web.”

According to the complaint, CafePress only notified customers from October 2, 2019 – despite their first notifications appearing on its website September 5. 

“It took CafePress almost eight months to stand up and take responsibility for its actions, or more precisely, lack of action,” said Fegan. 

Due to the company’s actions, consumers have had to take responsibility in changing passwords, monitoring their credit, and enforcing other steps to safeguard their financial identity. 

“We may have become accustomed to new of data breaches, but we’ve seen the impact first hand when consumers’ data is used in identity theft,” Fegan said. “Consumers find themselves embroiled in trying to set things straight, often dealing with the repercussions for years.”

The class-action lawsuit was filed in the U.S District Court in Illinois, and seeks to represent all U.S consumers that were a part of the breach, which is an estimated 23 million people, both in the U.S and abroad.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/