The parent company of women’s fashion website Shein, Zoetop, was fined $1.9 million after being accused of lying about the severity of its data breach and notifying “only a fraction” of impacted customers.
In 2018, Shein reportedly fell victim to a cyberattack that exposed the personal details of over six million customers.
Shein said at the time that the names, email addresses, and “encrypted password credentials” of “approximately 6.42 million customers” were stolen by hackers who had planted malware onto its servers.
However, an investigation by the Office of the New York State Attorney General later found that Zoetop failed to properly protect the data of customers of Shein and sister-site Romwe before the attack, did not reset passwords or protect any of its customers’ exposed accounts, and downplayed the extent of the attack to users.
Afterwards, it was found that the personal details of 39 million Shein users were exposed worldwide, instead of the 6.42 million accounts initially reported by the company.
According to investigators, Shein failed to alert the “vast majority of Shein accounts impacted” and left 32.5 million customers at risk.
Zoetop’s claim that it had “seen no evidence that credit card information was taken from our systems” was also false. The company didn’t identify that it fell victim to a data breach until it was notified by a payment processor that there were indications Zoetop’s systems were infiltrated and card data was stolen.
Last week, New York Attorney General Letitia James announced that Shein’s parent company Zoetop was being fined $1.9 million, and was required to improve its cybersecurity.
“Shein and Romwe’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” said Attorney General James in her statement. “While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. Shein and Romwe must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”
Zoetop was also ordered to upkeep a comprehensive information security program that includes stronger hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely customer notice, and prompt password resets.