CafePress recently discovered that an unidentified third party obtained customer information, without authorization, that was contained in a CafePress database. Based on our investigations, this may have occurred on or about February 19, 2019.
What Information Was Involved
We believe the unidentified third party obtained personal data pertaining to approximately 1,006,000 customer accounts in the EU, about 880,000 of which are for customers in the United Kingdom. The information included names, email addresses, passwords to customer CafePress accounts, and other information including in a limited number of cases the last 4 digits of credit card numbers. For less than 1% of the affected individuals, the information also included a tax identification number. We are notifying the UK Information Commissioner’s Office, the appropriate EU Data Protection Authorities of the incident, and individuals directly.
What We Are Doing
We have been diligently investigating this incident with the assistance of outside experts. We also have contacted and are cooperating with U.S. federal law enforcement authorities. In addition, we have taken various steps to further enhance the security of our systems and your information as a result of this incident, and the affected database has been moved to a different environment.
What You Can Do
We recommend you remain vigilant and take steps to protect against identity theft or fraud, including monitoring your accounts and free credit reports for signs of suspicious activity.
We also recommend that you visit the CafePress website and log in to any online account you may have, which should prompt you to change your account password, if you have not done so recently. In general, you should always ensure that you are not using the same password across multiple accounts, and that you are using strong passwords that are not easy to guess.
Customers should be mindful of the possibility of fraudulent emails and calls due to this incident. Any email you may receive from CafePress about this issue does not ask you to click on any links or open attachments and does not request your personal data. If you believe you have received a fraudulent email that claims to be from CafePress, avoid replying to the email, do not click on the links embedded in the email or download attachments from such suspicious emails.
We are fully committed to protecting your information, and we deeply regret that this incident occurred.
If you have any questions or concerns for CafePress, please contact 0800 953 3053. The Support Line is available 24 hours a day, 7 days a week.
Individuals Outside United Kingdom
More information can be found at the links listed below.
CafePress Australia: cafepress.com.au/p/security2019
CafePress Canada: cafepress.ca/p/security2019
CafePress United States: cafepress.com/p/security2019
Contact details for supervisory authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en.