Zoetop, the owner of popular e-commerce brands SHEIN and ROMWE, had to pay $1.9 million in penalties and costs to New York for failing to handle a data breach in which tens of millions of customers had their personal information compromised, along with lying to those consumers about the scope of the breach.
The data breach led to 39 million SHEIN accounts and 7 million ROMWE accounts being stolen. 800,000 of those accounts belonged to residents of New York, according to the Office of the Attorney General.
The valuable information that had been stolen in the cyberattack included credit card information, names, email addresses and account passwords for certain Zoetop customers.
The data breach first started back in 2018. Zoetop had unknowingly been the victim of cyberattack intrusion at the time. The e-commerce retailer would later find out through a payment processor that its systems had been compromised, according to the OAG.
Following the cyberattack, Zoetop conducted a forensic investigation through a cybersecurity firm and found out that the attackers stole 39 million SHEIN account credentials worldwide, along with the credentials of 375,000 New Yorkers.
The OAG says that Zoetop had only contacted a fraction of the customers who had their accounts compromised. More than 32.5 million accounts worldwide and 255,294 New Yorkers had not been alerted about the cyberattack, according to the OAG.
Zoetop also lied about the severity of the cyberattack at the time. The e-commerce retailer falsely said that only 6.42 million customers were impacted by the data breach, as well as falsely stated that there was no evidence that credit card information was stolen, according to the OAG.
Two years after the data breach, the OAG says that Zoetop would discover that login credentials for ROMWE customer accounts were available on the dark web.
In total, 7 million ROMWE accounts were found to have been stolen worldwide, along with the accounts of 500,000 New Yorkers.
Through its investigation, the OAG found that Zoetop failed to maintain reasonable security measures to protect customer information in several areas.
These security measures included password management, the protection of sensitive customer information, monitoring, and incident response.
On top of paying the $1.9 million in monetary penalties, Zoetop also has to maintain a comprehensive information security program. This includes more robust hashing of customer passwords, network monitoring, timely customer notice, and more.
“SHEIN and ROMWE’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” New York Attorney General Letitia James said.
“While New Yorkers were shopping for the latest trends on SHEIN and ROMWE, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. SHEIN and ROMWE must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”