The parent company of women’s fashion site Shein has been fined $1.9 million after being accused of lying about the extent of the data breach and notifying “only a fraction” of customers affected.
Four years ago, we reported how Shane was suffering. hacker attack The personal information of over 6 million customers was exposed.
At the time, Shein said the names, email addresses and “encrypted password credentials” of “approximately 6.42 million customers” were stolen by hackers who implanted malware on their servers.
However, a subsequent investigation by the New York State Attorney General’s Office revealed that Shein’s parent company, Zoetop:
- failed to adequately protect customer data for customers of Shein and sister site Romwe prior to the attack. For example, it used weak hashing algorithms for passwords, misconfigured payment systems, and stored some credit card details in plain text log files.
- It didn’t reset passwords or secure customer’s public accounts.
- It downplayed the scope of its attacks on consumers.
It was then discovered that there were 39 million exposed accounts worldwide rather than the details of the 6.42 million Shein customers stolen in the attack.
According to investigators, Shein failed to even alert the “majority of affected Shein accounts” and 32.5 million account holders were unaware of the risks.
Additionally, Zoetop’s claim that it “did not see any evidence that credit card information was stolen from our system” was incorrect. My system was hacked and my card data was stolen.
as me murmured At the time the hack was announced, Shein’s online FAQ about the data breach gave the impression of being answered by an amateur, as the source code accidentally left unanswered questions.
This week, New York Attorney General Letitia James announced Shein’s parent company, Zoetop, was fined $1.9 million and asked to tighten its cybersecurity.
“Shein and Romwe’s weak digital security measures have made it easier for hackers to shoplift consumers’ personal data,” said Attorney General James, not afraid of fashion-related puns. “While New Yorkers were shopping for the latest Shein and Romwe trends, their personal data was stolen and Zoetop tried to cover it up. It’s not a fad, Shein and Romwe recommend cybersecurity measures to protect consumers from fraud and identity theft. Anything less than that is not acceptable.
Zoetop includes stronger hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notification, and prompt password resets. I was mandated to maintain a comprehensive information security program.