The parent company of the widely popular clothing brand Shein has been fined $1.9 million by New York state for failing to notify all 39 million users of a data breach in 2018 that compromised login credentials, allowing bad actors to steal credit card information.
The cyberattack on Shein, according to the Attorney General Office, included more than 375,000 New York residents, along with 800,000 more from the seven million Romwe accounts that were also infiltrated.
China-based Zoetop also falsely stated that only 6.42 million consumers had been impacted in the breach and failed to maintain reasonable security measures to protect customers’ data, which led New York to seek retribution.
In addition to the misleading statements, Zoetop said that it ‘ha[d] seen no evidence that [customer] credit card information was taken from our systems,’ but two years later the firm found customer login information for Romwe on the dark web.
Shein’s parent company, Zoetop, will pay a $1.9 million to New York state for failing to notify all 39 million users of a data breach in 2018
Attorney General Lelita James said in a statement: ‘Shein and Romwe’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data.
‘While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up.
‘Failing to protect consumers’ personal data and lying about it is not trendy.
‘SHEIN and ROMWE must button up their cybersecurity measures to protect consumers from fraud and identity theft.
‘This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.’
The 2018 cyberattack also saw personal information being scrapped from accounts, including names, email addresses and hashed account passwords of certain Zoetop customers.
The digital crime then went unnoticed by the firm until it was later notified by a payment processor that the company’s systems ‘appeared to be compromised,’ the AGO announcement reads.
The cyberattack saw bad actors steal credit cards and personal information, including names, email addresses and hashed account passwords of certain Zoetop customers
Following the cyberattack, Zoetop engaged a cybersecurity firm to conduct a forensic investigation.
The cybersecurity firm confirmed that attackers had gained access to Zoetop’s internal network and had altered code responsible for processing customer transactions in an attempt to intercept and exfiltrate customer’s credit card information.
‘As a result of today’s agreement, Zoetop is required to pay New York $1,900,000 in penalties and costs,’ the AGO announcement states.
‘In addition, Zoetop must maintain a comprehensive information security program that includes robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice, and prompt password resets.’
Shein, which was revealed in August to have a $100 billion valuation, was founded in 2008 and recently named the world’s largest fashion retailer.
In recent years, Shein has found itself in the middle of several controversies including trademark disputes, tax evasion, human rights violations and health and safety concerns.
There have also been concerns about the sinister surveillance tactics employed by Shein to get ahead of its rivals.
Industry insiders say the shadowy company is spying on unsuspecting customers by using social media sites and apps, collecting vast amounts of data on what its customers view and like, then instructing its factories to churn out copies at a lower cost than its competitors.
