Shein Parent Fined $1.9 Million #544


Shein parent Zoetop Business Company is on the hook for $1.9 million in fines to New York state for failing to “properly handle” a data breach that stole the personal information of tens of millions of customers and then lying to them about it, New York attorney general Letitia James said Wednesday.

Zoetop, the Hong Kong-registered company that also owns Shein’s sister e-tailer Romwe, employed “weak” digital security measures that made it susceptible to hacking, James said. This resulted in a 2018 cyberattack that compromised the names, email addresses, hashed passwords and credit card information of 39 million Shein accounts and 7 million Romwe accounts, including those belonging to more than 800,000 New York residents.

An investigation by the office of the attorney general discovered that Zoetop not only failed to adequately safeguard consumers’ information prior to the breach but it also did not take sufficient steps to protect many of the impacted accounts after it happened. At the same time, the company downplayed the size and scope of the cyberattack, both in conversations with customers and in public statements. It had falsely declared, for instance, that only 6.4 million customers had been affected and that the company was in the process of notifying all of the impacted customers.

Zoetop also misrepresented that it “ha[d] seen no evidence that [customer] credit card information was taken from our systems,” even though a cybersecurity firm it engaged following the incident uncovered evidence that the attackers had altered some Zoetop code responsible for processing customer transactions in an effort to mine credit card details.

The investigation found that Zoetop had contacted only a fraction of the 39 million Shein accounts whose login credentials had been compromised and did not reset passwords or otherwise protect any of the exposed accounts. More than 32.5 million, including those belonging to 255,294 New York residents, weren’t informed that their login credentials had been hijacked.

It would be another two years, when Zoetop stumbled across Romwe customer login credentials on the dark web in 2020, before the company reset the passwords of affected accounts and alerted them to the data breach. In all, the login information of more than 7 million Romwe customers was lifted, including those pertaining to nearly 500,000 New York residents.

“While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up,” James said. “Failing to protect consumers’ personal data and lying about it is not trendy. Shein and Romwe must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”

➔ Read the full article on the Sourcing Journal