CafePress, Inc. has been hit with a proposed class action lawsuit after “the world’s largest online gift shop” operator allegedly concealed for months a data breach that affected more than 23 million customers.
Filed in Illinois district court, the 22-page lawsuit states that a February 2019 security breach saw an unauthorized party gain access to the private information of more than 23 million customers who used CafePress’s gift shop website. According to the lawsuit, the compromised data included names, addresses, telephone numbers, email addresses, passwords, the last four digits of credit card numbers, credit card expiration dates, and some Social Security and tax identification numbers.
The case claims that despite promising “Safe and Securing Shopping. Guaranteed,” CafePress failed to protect customers’ private information and, to make matters worse, attempted to conceal the breach for almost eight months. After two data breach websites and Forbes reported on the incident over the summer, CafePress forced users to change their passwords, citing a “policy update,” the lawsuit says. It wasn’t until September, according to the suit, that the defendant quietly posted on its website a notification of the security breach. On October 2, 2019, the complaint states, CafePress finally sent out emails in which it notified customers of a “data security incident” that “may have occurred on or about February 19, 2019.”
The lawsuit argues that CafePress customers have been forced to spend time and money monitoring their credit, mitigating the risks of identity theft, addressing fraudulent activity on their accounts, and reviewing their credit reports as a result of the defendant’s conduct.
“Regardless of whether they have yet to incur out-of-pocket losses, Plaintiff and all CafePress customers whose personal information was stolen remain subject to a pervasive, substantial and imminent risk of identity theft and fraud,” the complaint reads, noting that the risk will continue “for years to come.”