Shein data breach results in $1.9m fine for parent company

13 Oct 2022

Image: © Ascannio/Stock.adobe.com

An investigation found that 39m Shein and 7m Romwe accounts were compromised in a 2018 data breach – which parent Zoetop then tried to keep under wraps.

Zoetop, the parent company of popular fast fashion retailers Shein and Romwe, has been fined $1.9m by a US court for a data breach that affected millions of customers back in 2018.

Letitia James, attorney general for the state of New York, found that Zoetop failed to protect its customers against a cyberattack that saw sensitive consumer data stolen, and that it underplayed the true extent of the breach in its aftermath.

Following an investigation, the office of the attorney general found that credit card data and other personal information of 39m Shein accounts and 7m Romwe accounts were compromised in the breach. This included more than 800,000 residents of the state of New York.

According to the attorney general’s office, Zoetop was unaware of the data breach when it first happened in June 2018. It was later notified by its payments processors that its systems had been infiltrated and accounts compromised.

A cybersecurity firm was then consulted, which confirmed the breach and found that millions of Shein and Romwe accounts had credit card information stolen. However, the office notes that Zoetop misrepresented the number of consumers that had been affected in the breach.

James blamed Zoetop’s “weak digital security measures” for the ease with which hackers were able to steal data. “While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy.”

In addition to the fine, Shein and Romwe have been ordered to “button up” cybersecurity measures through a programme that includes hashing of customer passwords, monitoring suspicious activity, scanning for network vulnerabilities and faster incident response.

“This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated,” said James.

Shein is a popular online retailer in Ireland. While it has no European headquarters, the Business Post reported in June that Shein employed 10 people in its Dublin office – with plans to double the headcount by the end of the year.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic

editorial@siliconrepublic.com