Residual Pumpkin Entity, LLC (formerly CafePress), $500,000
CafePress ignored a 2019 data breach, failed to notify 22 million users, and then falsely claimed to reset passwords that it was actually leaving unchanged.
Case identifiers
- Respondent
- Residual Pumpkin Entity, LLC (formerly CafePress) (and PlanetArt, LLC)
- Agency
- Federal Trade Commission
- Announced
- 2022-06-23
- Monetary relief
- $500,000
- Case number
- FTC File No. 192-3209
- Statutes cited
- FTC Act § 5
Key facts
- 1
2019 breach exposed email addresses, weakly encrypted passwords, Social Security numbers, and names/addresses of 22 million users.
- 2
CafePress learned of the breach in 2019 but did not notify affected consumers until 2020.
- 3
After the breach, the company required users to reset passwords but did not invalidate the old ones.
- 4
$500,000 redress to affected consumers plus injunctive relief against successor PlanetArt.
What the order requires
Injunctive terms imposed by the Federal Trade Commission. These bind Residual Pumpkin Entity, LLC (formerly CafePress)'s data practices going forward.
- Implementation of a comprehensive information security program.
- Prompt notification of consumers affected by future breaches.
- Required biennial third-party assessments.
Primary sources
Read the original government documents. These are the authoritative records, everything on this page is derived from them.
- Federal Trade Commission press releasehttps://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-takes-action-against-cafepress-data-breach-cover
Exercise your rights now
Generate a deletion request for $5
The FTC order binds Residual Pumpkin Entity, LLC (formerly CafePress)'s future practices, but doesn't automatically delete your existing data. State privacy law (CCPA, CPA, TDPSA, VCDPA) gives you that right. OfflistMe generates a compliant deletion email pre-addressed to Residual Pumpkin Entity, LLC (formerly CafePress)'s registered privacy contact.
Start for $5 →FAQ
What did the FTC charge Residual Pumpkin Entity, LLC (formerly CafePress) with?+
CafePress ignored a 2019 data breach, failed to notify 22 million users, and then falsely claimed to reset passwords that it was actually leaving unchanged. The Federal Trade Commission cited FTC Act § 5.
How much did Residual Pumpkin Entity, LLC (formerly CafePress) pay?+
Residual Pumpkin Entity, LLC (formerly CafePress) paid $500,000 in monetary relief, announced on 2022-06-23. The settlement also imposed injunctive terms (see below).
Does the Residual Pumpkin Entity, LLC (formerly CafePress) settlement mean my data has been deleted?+
No, the order does not automatically delete your data. You retain full rights under state privacy law (CCPA, CPA, TDPSA, VCDPA, and others) to submit your own deletion request. OfflistMe can generate a compliant deletion email pre-addressed to the respondent’s privacy contact.
How can I read the original FTC order?+
The Federal Trade Commission press release is available at https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-takes-action-against-cafepress-data-breach-cover. The case / matter number is FTC File No. 192-3209.