CafePress acknowledges huge data theft months too late

data breach

No business wants to be responsible for clients’ data being stolen. Ethics demand clients are told right away meaning a bunch of unhappy customers. It’s not one of those problems you can ignore until it goes away. But it seems red-faced T-shirt flogger CafePress did just that when they failed to inform customers huge swaths of data was stolen by hackers until seven months after the fact.

At the start of August the company ran a mass-password reset following reports that some 23 million user details were floating around on hacker forums. Roughly half of them had passwords exposed.

Despite this, CafePress didn’t release the information to customers until this week when emails were sent out warning the company lost customer names, emails, physical addresses, phone numbers and unencrypted passwords. Some customers have also had the last four numbers of payment cards and expiry dates nabbed by hackers.

The cheeky email that claims the breach was only “recently” discovered and was addressed to “Dear Valued Customer”. It says the incident happened around February 18 and the company has been “diligently investigating” the hack with the help of outside experts.

It goes on to say that an unidentified third party accessed one of their databases and their customer data. They may also have had access to CafePress accounts for a limited time and the information "could have been used for fraudulent activity".

The company said it is working with US law enforcement and has notified UK and European regulators. It has also shifted the database and "taken various steps to further enhance the security of our systems and your information".

CafePress claims to have informed regulators and includes links to Experian, Transunion and Equifax for customers wanting to check their credit rating.