DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Attorney General James Secures $1.9 Million from E-Commerce SHEIN and ROMWE Owner Zoetop for Failing to Protect Consumers’ Data

Posted on October 12, 2022 by Dissent

October 12 –

NEW YORK – New York Attorney General Letitia James today secured $1.9 million from e-commerce retailer, Zoetop Business Company, Ltd. (Zoetop), for failing to properly handle a data breach that compromised the personal information of tens of millions of consumers worldwide and for lying about the scope of the breach to consumers. Zoetop, which owns and operates the popular e-commerce brands SHEIN and ROMWE, had a data breach in which 39 million SHEIN accounts and 7 million ROMWE accounts were stolen, including accounts for more than 800,000 New York residents. SHEIN and ROMWE are popular shopping sites frequently used by millennials and Gen Zers. An investigation by the Office of the Attorney General (OAG) revealed that the company failed to properly safeguard consumers’ information prior to the data breach, failed to take adequate steps to protect many of the impacted accounts after the breach, and downplayed the extent of the cyberattack to consumers. As a result of today’s agreement, Zoetop must pay $1.9 million in penalties to the state and strengthen its cybersecurity measures to protect consumers’ information.

“SHEIN and ROMWE’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” said Attorney General James. “While New Yorkers were shopping for the latest trends on SHEIN and ROMWE, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. SHEIN and ROMWE must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”

In June 2018, Zoetop was targeted in a cyberattack. Attackers stole credit card information and personal information, including names, email addresses, and hashed account passwords of certain Zoetop customers, including SHEIN shoppers. Zoetop did not detect the intrusion and was later notified by its payment processor that its systems appeared to have been compromised. The payment processor reported that it had been contacted by a large credit card network and a credit card issuing bank, each of which had information “indicating that [Zoetop’s] system[s] have been infiltrated and card data stolen.”

Following the cyberattack, Zoetop engaged a cybersecurity firm to conduct a forensic investigation. The cybersecurity firm confirmed that attackers had gained access to Zoetop’s internal network and had altered code responsible for processing customer transactions in an attempt to intercept and exfiltrate customer’s credit card information. The cybersecurity firm also found that the attackers had exfiltrated the personal information of SHEIN customers, including names, email addresses, and hashed account passwords. Worldwide, 39 million SHEIN account credentials were stolen, including the credentials of more than 375,000 New York residents.

The OAG investigation found that Zoetop contacted only a fraction of the 39 million SHEIN accounts whose login credentials had been compromised and did not reset passwords or otherwise protect any of the exposed accounts. For the vast majority of SHEIN accounts impacted in the breach — more than 32.5 million accounts worldwide and 255,294 New York residents — Zoetop failed to even alert those customers that their login credentials had been stolen.

In addition, Zoetop’s public statements about the data breach included several misrepresentations about the breach’s size and scope. For example, Zoetop falsely stated that only 6.42 million consumers had been impacted in the breach and that the company was in the process of notifying all of the impacted customers. Zoetop also represented, falsely, that it “ha[d] seen no evidence that [customer] credit card information was taken from our systems.”

Two years later, Zoetop discovered customer login credentials for ROMWE customer accounts available on the dark web. Based on the results of a forensic investigation, Zoetop concluded that the ROMWE login credentials had likely been exfiltrated in 2018 in the same attack that had impacted SHEIN accounts. Zoetop reset the passwords of affected accounts and notified affected ROMWE consumers. In all, the login credentials of over 7 million ROMWE accounts were stolen, of which nearly 500,000 belonged to New York residents.

The OAG found that, at the time of the 2018 data breach, Zoetop failed to maintain reasonable security measures to protect customers’ data in several areas:

  • Password Management: Until August 2018, Zoetop hashed customer passwords using an algorithm that was known at the time to be insufficient to protect against attacks.
  • Protection of Sensitive Customer Information: Zoetop misconfigured its systems to store credit card information from certain transactions in a debug log file in plain text, which is less secure and easier for hackers to access. In addition, at the time of the breach, Zoetop failed to perform scans to identify where on its systems cardholder data was stored.
  • Monitoring: Zoetop did not run regular external vulnerability scans or regularly monitor or review audit logs to identify security incidents.
  • Incident Response: Zoetop did not have a comprehensive, written incident response plan in place to address a cyberattack. In addition, following the 2018 data breach, Zoetop failed to take timely action to protect many of the impacted customers.

As a result of today’s agreement, Zoetop is required to pay New York $1,900,000 in penalties and costs. In addition, Zoetop must maintain a comprehensive information security program that includes robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice, and prompt password resets.

This matter was handled by Assistant Attorney General Hanna Baek and Senior Enforcement Counsel Jordan Adler of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim A. Berger and Deputy Bureau Chief Clark P. Russell. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is overseen by Chief Deputy Attorney General Chris D’Angelo and First Deputy Attorney General Jennifer Levy.

Source:  New York Attorney General

Category: Breach Incidents

Post navigation

← Eventus WholeHealth notifies patients of breach
Public housing assistance tenants in Indianapolis fear eviction, compromised bank accounts after cyber attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.