SHEIN's parent firm fined US$1.9m for improper data breach response

SHEIN's parent firm, Zoetop Business Company, has been fined US$1.9 million for failing to properly handle a data breach that compromised the personal information of tens of millions of consumers globally and for lying about the scope of the breach to consumers. Aside from SHEIN, Zoetop also owns eCommerce brand ROMWE.

According to New York Attorney General Letitia James, Zoetop had a data breach in which 39 million SHEIN accounts and seven million ROMWE accounts were stolen, including accounts for more than 800,000 New York residents. Attackers stole credit card information and personal information, including names, email addresses, and hashed account passwords of certain Zoetop customers, including SHEIN shoppers.

An investigation by the Office of the Attorney General revealed that the company failed to properly safeguard consumers’ information prior to the data breach, failed to take adequate steps to protect many of the impacted accounts after the breach, and downplayed the extent of the cyberattack to consumers.

In addition to the fine, Zoetop must also maintain a comprehensive information security program that includes robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice, and prompt password resets.

Zoetop experienced a cyberattack in June 2018 but the company did not detect the intrusion and was later notified by its payment processor that its systems appeared to have been compromised. According to James, the payment processor reported that it had been contacted by a large credit card network and a credit card issuing bank, each of which had information “indicating that [Zoetop’s] system[s] have been infiltrated and card data stolen.

Following the cyberattack, Zoetop engaged a cybersecurity firm to conduct a forensic investigation. The cybersecurity firm confirmed that attackers had gained access to Zoetop’s internal network and had altered code responsible for processing customer transactions in an attempt to intercept and exfiltrate customers’ credit card information. The cybersecurity firm also found that the attackers had exfiltrated the personal information of SHEIN customers.

The investigation found that Zoetop contacted only a fraction of the 39 million SHEIN accounts whose login credentials had been compromised and did not reset passwords or otherwise protect any of the exposed accounts. For the vast majority of SHEIN accounts impacted in the breach — more than 32.5 million accounts worldwide and 255,294 New York residents — Zoetop failed to even alert those customers that their login credentials had been stolen.

Additionally, James said that Zoetop’s public statements about the data breach included several misrepresentations about the breach’s size and scope. For example, Zoetop falsely stated that only 6.42 million consumers had been impacted in the breach and that the company was in the process of notifying all of the impacted customers. Zoetop also represented, falsely, that it “[had] seen no evidence that [customer] credit card information was taken from o[its] systems", James explained.

Two years later, Zoetop discovered customer login credentials for ROMWE customer accounts available on the dark web. Based on the results of a forensic investigation, Zoetop concluded that the ROMWE login credentials had likely been exfiltrated in 2018 in the same attack that had impacted SHEIN accounts. Zoetop reset the passwords of affected accounts and notified affected ROMWE consumers.

The investigation found that at the time of the 2018 data breach, Zoetop failed to maintain reasonable security measures to protect customers’ data in several areas: password management, protection of sensitive customer information, monitoring, and incident response.

Separately, on the sustainability front, SHEIN announced just last week that it plans to reduce overall emissions across its entire value chain by 25% by 2030. The company also plans to commit up to US$7.6 million in programmatic funding to Apparel Impact Institute, a nonprofit organisation dedicated to decarbonising and modernising the fashion industry supply chain, to build the roadmap for emissions reduction within SHEIN's supply chain.

SHEIN's global head of ESG, Adam Whinston, said then that the company is taking "a significant step forward" by announcing a new set of 2030 goals that will help the company accomplish emissions reduction targets for its entire supply chain over the next seven years.

Meet Asia’s top PR and communication leaders in-person. PR Asia sets the stage for the future of purpose-driven contemporary PR. Join us on 9 November as we gather Asia’s top PR and communication practitioners in-person in Malaysia. Deep dive into the next necessary steps for PR as we head towards 2023. Only at #PRAsia.

Related articles:
SHEIN plans to cut emissions by 25% by 2030
SHEIN nabs Match Group APAC senior comms director
What should SHEIN focus on if it manages its US$1bn in funding?
SHEIN reportedly mulling new funding round worth US$1bn