A SHEIN-Y $1.9 million dollar fine
for the fast fashion company after
lying about 39 million customers data sold on dark web

Shein, and its parent company Zoetop, has been hit by a $1.9 million dollar fine by the state of New York for lying about the severity of a data breach from 2018.

Shein, and its parent company Zoetop, has been hit by a $1.9 million dollar fine by the state of New York for lying aShein, a popular online fast fashion brand, is one of the largest and most successful e-commerce businesses in recent years, primarily thanks to the pandemic which pushed consumers to online shopping. It was briefly 2021’s most downloaded shopping app in the U.S., above Amazon. Originally based in China, the company has since moved operations to Singapore. The average cost of a piece of clothing from Shein is $10.70, making it extremely popular with Gen-Z. bout the severity of a data breach from 2018.

Shein, and its parent company Zoetop, has been hit by a $1.9 million dollar fine by the state of New York

In 2018, the company was hit by hackers that stole over 6 million customer’s personal information and data. Shein stated themselves that only 6.42 million customers were affected with their names, emails, and passwords being compromised.

New York State Attorney General however did an investigation that revealed that the company had failed to have adequate cybersecurity protections in place, stored passwords and important customer data in plain text files, used weak passwords, and was not honest about the true number of customers affected.

In reality, 39 million customers were affected by the breach. The company also did not reset customer passwords, notify the majority of the breach, or provide any other assistance in mitigating the damage.

Most questions on social media sites from concerned customers were mostly ignored. The company put out a brief, amateurish FAQ section on their website, and the source code shows questions they did not answer but accidentally left visible in their source code.

coment cheiny

Data that was compromised by the hackers was sold online on the dark web. Cybersecurity experts are urging customers who have used Shein, the Shein app, or any of Zoetop’s company sites to monitor their credit cards, credit reports, and change their passwords.

The claim by Shein, and parent company Zoetop, that hackers had not stolen credit card information that they assured customers of was false. Further it was revealed that the company did not even know they were suffering a data breach until payment processing companies they worked with notified them of suspicious activity.

Cybersecurity Investigators found that "the attackers had altered some Zoetop code responsible for processing customer transactions in an attempt to intercept and exfiltrate customer credit card information."

Further investigations, while partially hindered by Zoetop’s full compliance, revealed that the company was using outdated and insufficient encryption methods that were well known to not be affective in preventing hackers from cracking passwords.

"Zoetop failed to adhere to PCI DSS requirements related to network monitoring and testing, as the company did not use file integrity monitoring, monitor or analyze log files, retain an audit trail history, or perform quarterly network vulnerability scans.”

Romwe, a second fashion site owned by Zoetop, also suffered during the same data breach with around 7 million additional customers being affected.

"Shein and Romwe’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data," said Attorney General James who wasn't afraid to include a number of fashion-related puns. "While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. Shein and Romwe must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated." Letita James – NY Attorney General.

Shein and parent company Zoetop have been court ordered to create and maintain a comprehensive cybersecurity program, incident response policies, and more as per the Department of Financial Security Law requirements. Around 800,000 New York customers were affected by Shein’s negligence.

In addition to fines, the company must update NY State officials about its internal cybersecurity for the next 5 years, as well as provide identify theft services for free to all customers that were affected by the breach.

“In roughly the last 30 days, vital and personal information has been hacked at many major U.S. companies [Uber, American Airlines, U-Haul, DoorDash, and more], compromising people’s privacy. Yet, if you ask most people about these hacks they don’t even know they occurred and the feds are saying very little.”

"If customers find out that their data was stolen and the company tried to hide the fact, then they will be much less likely to use that company in the future due to trust. Companies/partners will [also] be less likely to do business with a company that has purposely not disclosed a breach because they don't want to get caught in the 'black hole' of negative reception."

Patrick Wragg, Cyber Response Manager, Integrity360.

Don’t think it can’t happen to you and fall victim to a data breach or cybersecurity risk. We at Motiva Networks can help you make a plan and see if your data has been compromised with a Free Confidential Cybersecurity Risk Assessment. 

Walter-Contreras