2 min read

Fine for Shein! Fashion site hit with $1.9 million bill after lying about data breach

Graham CLULEY

October 17, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Fine for Shein! Fashion site hit with $1.9 million bill after lying about data breach

The parent company of women's fashion site Shein has been fined $1.9 million after being accused of lying about the extent of data breach, and notifying "only a fraction" of affected customers.

Four years ago we reported how Shein had suffered a hacker attack that saw the personal details of over six million customers exposed.

At the time, Shein said that the names, email addresses, and "encrypted password credentials" of "approximately 6.42 million customers" had been stolen by hackers who had planted malware onto its servers.

A subsequent investigation by the Office of the New York State Attorney General, however, uncovered that Shein's parent company Zoetop:

  • had failed to properly safeguard the customer data of customer of Shein and sister-site Romwe, prior to the attack. For instance, it used a weak hashing algorithm for passwords, and misconfigured its payment system to store some credit card details in a plain text log file.
  • did not reset passwords or otherwise protect any of its customers' exposed accounts.
  • had downplayed the extent of the attack to consumers.

It was subsequently learnt that rather than the details of 6.42 million Shein customers being stolen in the attack, there were 39 million exposed accounts worldwide.

According to investigators, Shein failed to even alert the "vast majority of Shein accounts impacted" - leaving 32.5 million account owners oblivious to the risk.

Furthermore, Zoetop's claim that it had "seen no evidence that credit card information was taken from our systems" was false, as the company had not even identified that it had suffered a breach until it was informed by a payment processor that there were indications Zoetop's systems had been infiltrated and card data stolen.

As I tweeted at the time of the hack's announcement, Shein's online FAQ about the breach gave the impression of an amateur response - with unanswered questions accidentally left in its source code.

This week, New York Attorney General Letitia James announced that Shein's parent company Zoetop was being fined $1.9 million, and was required to strengthen its cybersecurity.

"Shein and Romwe’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data," said Attorney General James who wasn't afraid to include a number of fashion-related puns. "While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. Shein and Romwe must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated."

Zoetop had been ordered to maintain a comprehensive information security program that includes more robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice, and prompt password resets.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More Than 12% of Analyzed Online Stores Expose Private Backups, Study Shows More Than 12% of Analyzed Online Stores Expose Private Backups, Study Shows
Vlad CONSTANTINESCU

February 08, 2023

1 min read
Police Hacked into Encrypted Messaging Platform ‘Exclu’ to Monitor Cybercriminals Police Hacked into Encrypted Messaging Platform ‘Exclu’ to Monitor Cybercriminals
Vlad CONSTANTINESCU

February 07, 2023

1 min read
Cyberattack Sends Florida Hospital Back to Pen and Paper; Emergency Patients Diverted Cyberattack Sends Florida Hospital Back to Pen and Paper; Emergency Patients Diverted
Filip TRUȚĂ

February 07, 2023

2 min read