The business behind the ultra-fast fashion labels Shein and Romwe has agreed to pay New York state $1.9 million in compensation for a data breach that affected millions of consumers. The punishment derives from allegations that Zoetop failed to safeguard customers’ data, failed to properly notify consumers of a data breach, and attempted to conceal the nature of the loss.
The punishment follows an investigation by the Attorney General’s Office into a 2018 attack in which credit card and personal information, such as names, emails, and hashed passwords, were obtained. The data hack compromised 39 million Shein and 7 million Romwe accounts, including over 800,000 New Yorker accounts.
According to the OAG, after learning of the intrusion, Zoetop contacted just a subset of the impacted consumers and did not change passwords for any of the accounts. Zoetop did not notify users that their login information had been compromised for 32.5 million Shein accounts. The corporation is also accused of lying about the number of clients whose data was taken and claiming that no credit card information was obtained.
After Zoetop discovered user logins from the 2018 attack on the dark web, Romwe customers were alerted of a data breach two years later. When Zoetop eventually reset passwords for all Romwe clients in December 2020, the inquiry discovered that it informed consumers that their passwords had expired after a year of not being updated. The notice was changed the following February with one that simply read, “We identified suspicious behavior, please verify your identity in order to reinstate your account.” The OAG investigation also found that at the time of the incident, Zoetop “failed to maintain acceptable security measures,” such as utilizing insufficient password management methods and failing to monitor for security risks or have a thorough strategy in place in event of a cyberattack.
The e-commerce company is very popular among young people all over the globe, putting out a near-constant stream of apparel and accessories at rock-bottom costs. Shein was valued at more than $100 billion this year, according to Politico.