Zoetop Business Company, the firm which owns fast fashion brands SHEIN and ROMWE, has been fined US$1.9mn by the state of New York after failing to disclose a data breach which affected 39 million customers.
The cyber security incident which took place in July 2018 saw a malicious third party gain unauthorized access to SHEIN’s payment systems. According to a statement issued by the state of New York’s Attorney General’s office SHEIN’s payment processor contacted the brand and disclosed that it had been “contacted by a large credit card network and a credit card issuing bank, each of which had information indicating that [Zoetop’s] system[s] have been infiltrated and card data stolen”.
This discovery was made after the credit card network found SHEIN customers’ payment details for sale on a hacking forum. Separate to this issue, the issuing bank for the cards had issued a fraud alert after linking fraud for several customers to payments made to SHEIN.
Following the discovery of the cyber-attack, the payment processor informed SHEIN that they must employ a cyber security forensic investigator to look into the case. The firm employed by Zoetop found that during the cyber-attack malicious actors had gained access to SHEIN’s internal systems and had accessed personal and identifying information for 39 million customers.
The data accessed included “names, city/province information, email addresses and hashed account passwords”. However, the method used to obscure them was vulnerable to hacking, allowing the malicious actors access to customers’ full password details.
Additionally, the login credentials of nearly 7.3 million ROMWE accounts were stolen in the breach and were later found for sale on the dark web in 2020.
An investigation by the New York Attorney General’s (AG) office found that Zoetop did not force any of the 39 million people affected to reset their account passwords. Zoetop instead identified 6.4 million customers of the 39 million affected who had previously placed an order with SHEIN and contacted them directly, suggesting they reset their password. Zoetop reset the passwords for the accounts affected by the ROMWE attack without informing them that they had been exposed in a data breach.
The New York AG also reported that a press release regarding the 2018 breach issued on a FAQ section of the SHEIN website contained misleading data. This included claims that only 6.4 million customers were affected in the breach and that there was “no evidence that [customer] credit card information was taken from [its] systems”, despite being previously informed that credit card data had been stolen in the breach.
The investigation discovered that Zoetop “did not provide the firm access to the compromised systems and a variety of information about [its] data security program”, “failed to adhere to PCI DSS requirements for protecting stored credit card data” and “did not use file integrity monitoring, monitor or analyze log files, retain an audit trail history, or perform quarterly network vulnerability scans”.
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC
Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.
Leave a Reply