Shein parent Zoetop Business Company is on the hook for $1.9 million in fines to New York State for failing to “properly handle” a data breach that stole the personal information of tens of millions of customers and then lying to them about it, New York attorney general Letitia James said Wednesday.
Zoetop, the Hong Kong-registered company that also owns Shein’s sister e-tailer Romwe, employed “weak” digital security measures that made it susceptible to hacking, James said. This resulted in a 2018 cyberattack that compromised the names, email addresses, hashed passwords and credit card information of 39 million Shein accounts and 7 million Romwe accounts, including those belonging to more than 800,000 New York residents.
An investigation by the office of the attorney general discovered that Zoetop not only failed to adequately safeguard consumers’ information prior to the breach but it also did not take sufficient steps to protect many of the impacted accounts after it happened. At the same time, the company downplayed the size and scope of the cyberattack, both in conversations with customers and in public statements. It had falsely declared, for instance, that only 6.4 million customers had been affected and that the company was in the process of notifying all of the impacted customers.
Zoetop also misrepresented that it “ha[d] seen no evidence that [customer] credit card information was taken from our systems,” even though a cybersecurity firm it engaged following the incident uncovered evidence that the attackers had altered some Zoetop code responsible for processing customer transactions in an effort to mine credit card details.
The investigation found that Zoetop had contacted only a fraction of the 39 million Shein accounts whose login credentials had been compromised and did not reset passwords or otherwise protect any of the exposed accounts. More than 32.5 million, including those belonging to 255,294 New York residents, weren’t informed that their login credentials had been hijacked.
It would be another two years, when Zoetop stumbled across Romwe customer login credentials on the dark web in 2020, before the company reset the passwords of affected accounts and alerted them to the data breach. In all, the login information of more than 7 million Romwe customers was lifted, including those pertaining to nearly 500,000 New York residents.
“While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up,” James said. “Failing to protect consumers’ personal data and lying about it is not trendy. Shein and Romwe must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”
Until August 2018, Zoetop hashed customer passwords using an algorithm that was known at the time to be “insufficient” against attacks, James’s office said. The company didn’t run regular external vulnerability scans or regularly monitor or review audit logs to identify security incidents. Nor did it maintain a detailed written incident response plan for addressing cyberattacks.
Zoetop also misconfigured its systems to store credit card information from certain transactions in a debug log file in plain text, making it easier for hackers to break into, the attorney general’s office said. And at the time of the breach, the firm failed to perform scans to pinpoint on its systems the location of its cardholder data.
The $1.9 million in penalties and costs aside, Zoetop has been told that it must manage a “comprehensive” information security program that includes “robust” hashing of customer passwords, network monitoring for suspicious activity and network vulnerability scanning, as well as incident response policies requiring “timely” investigation, “timely” consumer notice and “prompt” password resets.
A Shein spokesperson said that Zoetop has “fully cooperated” with the New York attorney general and is “pleased” to have reached a resolution with the office.
“Protecting our customers’ data and maintaining their trust is a top priority, especially with ongoing cyber threats posed to businesses around the world,” the representative for U.S. teens’ No. 2 shopping site told Sourcing Journal. “Since the data breach, which occurred in 2018, we have taken significant steps to further strengthen our cybersecurity posture and we remain vigilant.”