Attorney General James Secures $1.9 Million from E-Commerce SHEIN and ROMWE Owner Zoetop for Failing to Protect Consumers’ Data
Zoetop Failed to Notify All 39 Million SHEIN Shoppers of a
Data Breach and Downplayed the Scope of the Breach to Consumers
More than 800,000 New Yorkers Were Impacted by SHEIN and ROMWE Data Breach
NEW YORK – New York Attorney General Letitia James today secured $1.9 million from e-commerce retailer, Zoetop Business Company, Ltd. (Zoetop), for failing to properly handle a data breach that compromised the personal information of tens of millions of consumers worldwide and for lying about the scope of the breach to consumers. Zoetop, which owns and operates the popular e-commerce brands SHEIN and ROMWE, had a data breach in which 39 million SHEIN accounts and 7 million ROMWE accounts were stolen, including accounts for more than 800,000 New York residents. SHEIN and ROMWE are popular shopping sites frequently used by millennials and Gen Zers. An investigation by the Office of the Attorney General (OAG) revealed that the company failed to properly safeguard consumers’ information prior to the data breach, failed to take adequate steps to protect many of the impacted accounts after the breach, and downplayed the extent of the cyberattack to consumers. As a result of today’s agreement, Zoetop must pay $1.9 million in penalties to the state and strengthen its cybersecurity measures to protect consumers’ information.
“SHEIN and ROMWE’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” said Attorney General James. “While New Yorkers were shopping for the latest trends on SHEIN and ROMWE, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. SHEIN and ROMWE must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”
In June 2018, Zoetop was targeted in a cyberattack. Attackers stole credit card information and personal information, including names, email addresses, and hashed account passwords of certain Zoetop customers, including SHEIN shoppers. Zoetop did not detect the intrusion and was later notified by its payment processor that its systems appeared to have been compromised. The payment processor reported that it had been contacted by a large credit card network and a credit card issuing bank, each of which had information “indicating that [Zoetop’s] system[s] have been infiltrated and card data stolen.”
Following the cyberattack, Zoetop engaged a cybersecurity firm to conduct a forensic investigation. The cybersecurity firm confirmed that attackers had gained access to Zoetop’s internal network and had altered code responsible for processing customer transactions in an attempt to intercept and exfiltrate customer’s credit card information. The cybersecurity firm also found that the attackers had exfiltrated the personal information of SHEIN customers, including names, email addresses, and hashed account passwords. Worldwide, 39 million SHEIN account credentials were stolen, including the credentials of more than 375,000 New York residents.
The OAG investigation found that Zoetop contacted only a fraction of the 39 million SHEIN accounts whose login credentials had been compromised and did not reset passwords or otherwise protect any of the exposed accounts. For the vast majority of SHEIN accounts impacted in the breach — more than 32.5 million accounts worldwide and 255,294 New York residents — Zoetop failed to even alert those customers that their login credentials had been stolen.
In addition, Zoetop’s public statements about the data breach included several misrepresentations about the breach’s size and scope. For example, Zoetop falsely stated that only 6.42 million consumers had been impacted in the breach and that the company was in the process of notifying all of the impacted customers. Zoetop also represented, falsely, that it “ha[d] seen no evidence that [customer] credit card information was taken from our systems.”
Two years later, Zoetop discovered customer login credentials for ROMWE customer accounts available on the dark web. Based on the results of a forensic investigation, Zoetop concluded that the ROMWE login credentials had likely been exfiltrated in 2018 in the same attack that had impacted SHEIN accounts. Zoetop reset the passwords of affected accounts and notified affected ROMWE consumers. In all, the login credentials of over 7 million ROMWE accounts were stolen, of which nearly 500,000 belonged to New York residents.
The OAG found that, at the time of the 2018 data breach, Zoetop failed to maintain reasonable security measures to protect customers’ data in several areas:
- Password Management: Until August 2018, Zoetop hashed customer passwords using an algorithm that was known at the time to be insufficient to protect against attacks.
- Protection of Sensitive Customer Information: Zoetop misconfigured its systems to store credit card information from certain transactions in a debug log file in plain text, which is less secure and easier for hackers to access. In addition, at the time of the breach, Zoetop failed to perform scans to identify where on its systems cardholder data was stored.
- Monitoring: Zoetop did not run regular external vulnerability scans or regularly monitor or review audit logs to identify security incidents.
- Incident Response: Zoetop did not have a comprehensive, written incident response plan in place to address a cyberattack. In addition, following the 2018 data breach, Zoetop failed to take timely action to protect many of the impacted customers.
As a result of today’s agreement, Zoetop is required to pay New York $1,900,000 in penalties and costs. In addition, Zoetop must maintain a comprehensive information security program that includes robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice, and prompt password resets.
This matter was handled by Assistant Attorney General Hanna Baek and Senior Enforcement Counsel Jordan Adler of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim A. Berger and Deputy Bureau Chief Clark P. Russell. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is overseen by Chief Deputy Attorney General Chris D’Angelo and First Deputy Attorney General Jennifer Levy.