Oregon Announces CafePress and Home Depot Data Breach Settlements

December 18, 2020
• Posted in , ,

Cybersecurity Takes the Spotlight As Consumers Take Shopping Online

Oregon Attorney General Ellen Rosenblum today announced a settlement with the online retailer CafePress to resolve findings from an investigation into a massive data breach. The 2019 incident exposed the personal information of 22 million CafePress customers, including the usernames and passwords of 205,865 Oregonians and the Social Security or tax identification numbers of another 3,519 Oregon residents. The company will immediately pay $750,000 of a $2 million fine to seven states, of which Oregon will receive $62,000.

In another recent settlement, the home improvement retailer Home Depot agreed to pay $17.5 million to 45 states, including $182,000 to Oregon, after an investigation into a 2014 data breach revealed that hackers had gained access to payment card information for 40 million customers—and had gone undetected for months.

The agreements with CafePress and Home Depot are the most recent of several resolved by the Oregon Department of Justice ( DOJ) in recent months, including local fast food chain Burgerville, acute care provider Community Health Systems, and health insurer Anthem.

In 2015, Attorney General Rosenblum spearheaded updates to Oregon’s data breach laws, giving her office authority to enforce state penalties against violators under the Unlawful Trade Practices Law. Since then, the DOJ has investigated and negotiated numerous settlements on behalf of Oregon consumers, including a $2.8 million share of the 50-state settlement with consumer credit reporting giant Equifax, and a $74 million nationwide class action settlement against health insurer Premera Blue Cross.

In addition to monetary considerations, Oregon’s settlements include strong provisions designed to protect consumers’ personal information from future cyberattacks.

“Businesses have a duty to protect consumers’ personal and financial information—and we must hold them accountable when they fail to do so,” Attorney General Rosenblum said. “Whatever the source of a data breach, it’s critical that companies act immediately to fix the problem, notify those affected, and notify my office. Every moment of delay increases the risk of someone having their account hacked or their identity stolen.”

Cybersecurity is especially relevant this year, as the COVID-19 pandemic drives a sea change in consumers’ shopping habits.

“The ability to buy just about anything online, from groceries to holiday gifts to prescription medications, has helped more Oregonians stay safely at home during this pandemic,” AG Rosenblum said. “I have no doubt that online shopping has been a literal lifesaver for people with health vulnerabilities. But that convenience comes with its own risks.”

Consumers can reduce the risk of being victimized by a data breach. Change your passwords often, review your bank statements carefully, and avoid clicking on links in e-mails from strangers. Visit oregonconsumer.gov  to find tips to help you spot scammers, learn how to protect your identity online,  and search Oregon’s database for companies that have reported breaches.

Businesses should make sure their computer networks, software, and payment systems are secure, but offline measures are important, too. Educate your employees. And don’t keep a customer’s sensitive information longer than necessary! The CafePress breach compromised the personal data of 22 million people, including customers who had closed their CafePress accounts.

Data breach reporting one-pager for businesses

CafePress settlement

Oregon’s settlement with Home Depot

The Oregon Department of Justice is led by Attorney General Ellen Rosenblum and serves as the state’s law firm.