Image: Shein

New York Attorney General Letitia James announced a $1.9 million settlement with Shein-owner Zoetop Business Company, Ltd. for allegedly “failing to properly handle a data breach that compromised the personal information of tens of millions of consumers worldwide,” including by “lying about the scope of the breach to consumers.” In a statement on Wednesday, the Attorney General’s Office asserted that Zoetop, which owns and operates e-commerce brands SHEIN and ROMWE, was exposed to a data breach in June 2018 in connection as a result of which “39 million SHEIN accounts and 7 million ROMWE accounts were accessed, including the accounts of more than 800,000 New York residents,” and personal information, including credit card information “of certain Zoetop customers” was stolen. 

An investigation by the Office of the Attorney General (“OAG”) in New York revealed that Hong Kong-headquartered Zoetop “failed to properly safeguard consumers’ information prior to the data breach and [then] failed to take adequate steps to protect many of the impacted accounts after the breach,” which it did not detect on its own but was “later notified [about] by its payment processor.” Following such notification, the OAG maintains that Zoetop engaged a cybersecurity firm, which “confirmed that attackers had gained access to Zoetop’s internal network and had altered code responsible for processing customer transactions in an attempt to intercept and exfiltrate customer’s credit card information.” Hackers were also confirmed to have “exfiltrated the personal information of SHEIN customers, including names, email addresses, and hashed account passwords.”

Allegedly aware of the expansive nature of the breach, the OAG claims that Zoetop “downplayed the extent of the cyberattack to consumers.” For instance, the company “contacted only a fraction of the 39 million SHEIN accounts whose login credentials had been compromised and did not reset passwords or otherwise protect any of the exposed accounts,” according to the OAG. For the “vast majority” of SHEIN accounts impacted in the breach (more than 32.5 million accounts worldwide and 255,294 New York residents), Zoetop “failed to even alert those customers that their login credentials had been stolen.” 

The OAG further alleges that Zoetop made “several [public] misrepresentations about the breach,” including “falsely stating that only 6.42 million consumers had been impacted in the breach and that the company was in the process of notifying all of the impacted customers.” The SHEIN owner also allegedly “represented, falsely, that it ‘ha[d] seen no evidence that [customer] credit card information was taken from our systems’” as a result of the data breach.     

As a result of its probe into the company, the OAG says that it found that at the time of the 2018 data breach, Zoetop failed to maintain reasonable security measures to protect customers’ data in several areas, including …

An excerpt from the New York AG's release

With the foregoing in mind, the OAG confirmed on Wednesday that it reached an agreement with Zoetop, which requires the company to pay $1.9 million in “penalties and costs.” Additionally, Zoetop will have to “maintain a comprehensive information security program that includes robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice, and prompt password resets.” 

In a statement, New York Attorney General James said on Wednesday, “SHEIN and ROMWE’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data. While New Yorkers were shopping for the latest trends on SHEIN and ROMWE, their personal data was stolen and Zoetop tried to cover it up.” She further asserted, “Failing to protect consumers’ personal data and lying about it is not trendy. SHEIN and ROMWE must button up their cybersecurity measures to protect consumers from fraud and identity theft,” noting that “this agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”

The $1.9 million settlement is a relatively small sum when compared to the annual revenue of the SHEIN brand, alone. The privately-held company – which has made its name by dropping thousands of new garments and accessories styles each week, with price tags that start at $2 for a crop top and that max out at $150 for a down puffer – nabbed a $100 billion valuation following the close of a funding round this spring. (That valuation reportedly fell between April and July when Bloomberg revealed that “investors looking to sell stakes in SHEIN are evaluating bids at discounts of about 30 percent to its $100 billion valuation in April … amid concern about the Chinese fast-fashion giant’s slowing growth.”)

SHEIN is estimated to have generated sales of at least $16 billion in 2021 (up just 60 percent year-over-year, compared to growth of 250 percent YoY in 2020), driven largely by demand from Western Gen-Z and millennial shoppers.

A representative for SHEIN told TFL on Wednesday, “We have fully cooperated with the New York Attorney General and are pleased to have resolved this matter. Protecting our customers’ data and maintaining their trust is a top priority, especially with ongoing cyber threats posed to businesses around the world.Since the data breach, which occurred in 2018, we have taken significant steps to further strengthen our cybersecurity posture and we remain vigilant.”