CafePress is a web service that lets artists, shops, businesses, fan clubs – anyone who signs up, in fact – turn designs, corporate slogans, logos and the like into fun merchandise they can give away or sell on to others.

The days when you had to put in an order for several hundred coffee mugs (or golf balls, or mousemats, or T-shirts, or hoodies) just to get one with the company name on them are long gone, with even one-off merch orders possible thanks to on-line ordering.

Unfortunately, as the US Federal Trade Commission explained last week in a case report bluntly entitled CafePress, In the Matter of, the company wasn’t up to scratch when it came to looking after the personal data of its customers and signed-up sellers.

According to the FTC, the CafePress service experienced a data breach, discovered and reported in early 2019, that was not acted on promptly or effectively, making the ultimate side-effects of the breach much worse than they ought to have been.

In other words, even though the company was itself the victim of a cybercrime, it has nevertheless been censured and fined for what it did (and didn’t do), both before and after this cybercrime took place.

The breach, says the FTC, saw hackers make off with more than 20,000,000 plaintext email addresses and weakly-hashed passwords; millions of unencrypted names, physical addresses, and security questions-and-answers; more than 180,000 unencrypted SSNs (social security numbers); and, for tens of thousands of payment cards, the last four digits of the card plus the expiry date.

The sloppiness of the company’s followup to this sloppiness led to a plain-talking headline on the government’s own press release: FTC Takes Action Against CafePress for Data Breach Cover Up.