maybe better than nothing
Sounds like CafePress failed at almost every level from a technical/security standpoint. $500k seems like a small fine for something that impacted millions of folks especially that amount of data that was stolen. Have no idea what the typical fine is for something like this. Likewise it seemed the penalties for Equifax were very light as well(well for Equifax the penalties were a joke but that breach got me off my ass to finally make a habit of keeping my credit report locked/frozen).
Given the last 4 of credit card numbers were snagged, wouldn't surprise me if they had lots of PCI problems as well, since obviously they seemed to collect credit card numbers even if they didn't happen to store the full number. (I remember one company I was at before PCI was a thing, you could see full credit card info in their logs if you just set the logs to DEBUG, and the logs were in DEBUG mode most of the time because the app stack was terrible).
Maybe in the future the penalties will be much greater. How much would the penalty be if this was a GDPR violation, anyone know/guess?