Zoetop Business Company, the firm which owns fast fashion brands SHEIN and ROMWE, has been fined US$1.9mn by the state of New York after failing to disclose a data breach which affected 39 million customers.
The cyber security incident which took place in July 2018 saw a malicious third party gain unauthorized access to SHEIN’s payment systems. According to a statement issued by the state of New York’s Attorney General’s office SHEIN’s payment processor contacted the brand and disclosed that it had been “contacted by a large credit card network and a credit card issuing bank, each of which had information indicating that [Zoetop’s] system[s] have been infiltrated and card data stolen”.
This discovery was made after the credit card network found SHEIN customers’ payment details for sale on a hacking forum. Separate to this issue, the issuing bank for the cards had issued a fraud alert after linking fraud for several customers to payments made to SHEIN.
Following the discovery of the cyber-attack, the payment processor informed SHEIN that they must employ a cyber security forensic investigator to look into the case. The firm employed by Zoetop found that during the cyber-attack malicious actors had gained access to SHEIN’s internal systems and had accessed personal and identifying information for 39 million customers.
The data accessed included “names, city/province information, email addresses and hashed account passwords”. However, the method used to obscure them was vulnerable to hacking, allowing the malicious actors access to customers’ full password details.
Additionally, the login credentials of nearly 7.3 million ROMWE accounts were stolen in the breach and were later found for sale on the dark web in 2020.
An investigation by the New York Attorney General’s (AG) office found that Zoetop did not force any of the 39 million people affected to reset their account passwords. Zoetop instead identified 6.4 million customers of the 39 million affected who had previously placed an order with SHEIN and contacted them directly, suggesting they reset their password. Zoetop reset the passwords for the accounts affected by the ROMWE attack without informing them that they had been exposed in a data breach.
The New York AG also reported that a press release regarding the 2018 breach issued on a FAQ section of the SHEIN website contained misleading data. This included claims that only 6.4 million customers were affected in the breach and that there was “no evidence that [customer] credit card information was taken from [its] systems”, despite being previously informed that credit card data had been stolen in the breach.
The investigation discovered that Zoetop “did not provide the firm access to the compromised systems and a variety of information about [its] data security program”, “failed to adhere to PCI DSS requirements for protecting stored credit card data” and “did not use file integrity monitoring, monitor or analyze log files, retain an audit trail history, or perform quarterly network vulnerability scans”.