The parent company of women’s fashion site Shein has been fined $1.9 million after being accused of lying about the extent of data breach, and notifying “only a fraction” of affected customers.
Four years ago we reported how Shein had suffered a hacker attack that saw the personal details of over six million customers exposed.
At the time, Shein said that the names, email addresses, and “encrypted password credentials” of “approximately 6.42 million customers” had been stolen by hackers who had planted malware onto its servers.
A subsequent investigation by the Office of the New York State Attorney General, however, uncovered that Shein’s parent company Zoetop:
- had failed to properly safeguard the customer data of customer of Shein and sister-site Romwe, prior to the attack. For instance, it used a weak hashing algorithm for passwords, and misconfigured its payment system to store some credit card details in a plain text log file.
- did not reset passwords or otherwise protect any of its customers’ exposed accounts.
- had downplayed the extent of the attack to consumers.
It was subsequently learnt that rather than the details of 6.42 million Shein customers being stolen in the attack, there were 39 million exposed accounts worldwide.
According to investigators, Shein failed to even alert the “vast majority of Shein accounts impacted” – leaving 32.5 million account owners oblivious to the risk.
Furthermore, Zoetop’s claim that it had “seen no evidence that credit card information was taken from our systems” was false, as the company had not even identified that it had suffered a breach until it was informed by a payment processor that there were indications Zoetop’s systems had been infiltrated and card data stolen.
As I tweeted at the time of the hack’s announcement, Shein’s online FAQ about the breach gave the impression of an amateur response – with unanswered questions accidentally left in its source code.
This week, New York Attorney General Letitia James announced that Shein’s parent company Zoetop was being fined $1.9 million, and was required to strengthen its cybersecurity.
“Shein and Romwe’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” said Attorney General James who wasn’t afraid to include a number of fashion-related puns. “While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. Shein and Romwe must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”
Zoetop had been ordered to maintain a comprehensive information security program that includes more robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice, and prompt password resets.