Not So Fast: Retailer Shein Fined $1.9M for Breach Cover-Up39 Million Shoppers of Shein and Romwe Weren't Notified of Personal Data Exposure
Fast-fashion clothing brand Shein has been fined $1.9 million by the New York state attorney general for multiple failings tied to a massive 2018 data breach.
"While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up," says Attorney General Letitia James, referring to Shein's former parent company. "Failing to protect consumers' personal data and lying about it is not trendy."
James says the fine also reflects inadequate cybersecurity policies, practices and procedures previously in place at the online retailer, including substandard password security.
After stolen account information surfaced on cybercrime markets in 2020, the company forced password resets for all affected customers but inaccurately explained it as being due to their not having updated their password for more than 365 days, according to the assurance agreement co-signed by the attorney general and Shein's parent company. Per the agreement, the company will provide regular updates to state officials about its security program for the next five years, as well as offer prepaid identity theft services to all breach victims.
"This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers; anything less will not be tolerated," James says.
Reached for comment, a Shein spokesman tells Information Security Media Group: "We have fully cooperated with the New York Attorney General and are pleased to have resolved this matter."
He adds: "Protecting our customers' data and maintaining their trust is a top priority, especially with ongoing cyberthreats posed to businesses around the world. Since the data breach, which occurred in 2018, we have taken significant steps to further strengthen our cybersecurity posture and we remain vigilant."
The fine represents a small fraction of the company's profits. Its annual 2021 revenues reached $15.7 billion.
Although widely popular, with its sites reportedly sporting more than 43 million active users across 150 countries, the Chinese company has also faced criticism for its throwaway approach to clothes, aka fast fashion, as well as questions over its labor practices.
Target: Payment Card Data
Zoetop, which was then the parent company of the two brands affected by the breach - Shein and Romwe - in July 2018 received an alert from a credit card brand and payment processor warning that its network had been "infiltrated" and also "card data stolen," according to the assurance agreement. After a restructuring, both brands affected by the breach are now run by a company called Shein Distribution Corp.
The processor required Zoetop to engage a digital forensic investigator approved by the Payment Card Industry Security Standards Council to investigate. The attorney general says Zoetop didn't give the PCI-qualified forensic investigator sufficient access to conduct a thorough investigation. Based on what it was able to review, however, the PFI identified multiple PCI DSS failures, including a failure "to adhere to PCI DSS requirements for protecting stored credit card data."
Zoetop also hired third-party cybersecurity investigators to probe the breach, and they determined that it was aimed at stealing payment card data, according to details of the investigation included in the assurance agreement. While Zoetop was only storing the final four digits of credit cards, investigators found that "the attackers had altered some Zoetop code responsible for processing customer transactions in an attempt to intercept and exfiltrate customer credit card information."
They also determined that attackers had likely stolen login credentials - email addresses and hashed passwords - as well as account holders' names and cities, and that much of this information, including fully cracked passwords, had surfaced for sale on cybercrime forums. Account credentials for approximately 375,000 New York residents were among the exposed information.
While the passwords had been hashed by Zoetop, the New York attorney general's office reports that at the time, the company was using the MD5 cryptographic hash function, but with only a two-digit salt. "It was known at the time that this method was insufficient to protect against password-cracking attacks," it says (see: Researchers Crack 11 Million Ashley Madison Passwords). The company has since improved its password-handling practices.
Also, when its breach investigation concluded in September 2018, James says Zoetop failed to force password resets for all customers. "Instead, Zoetop identified a subset of the more than 39 million impacted accounts that had previously placed an order with Shein - 6.42 million accounts worldwide, including more than 375,000 New Yorkers - and, of this subset, contacted accounts in the U.S., Canada, and Europe, recommending that these account holders themselves initiate a password reset." It says Zoetop also offered prepaid identity theft protection for the 6.42 million account holders. But that left the owners of 32.5 million accounts worldwide that had also been affected by the breach unaware.
The New York attorney general says Zoetop also issued misleading information about the breach via a website FAQ in which it claimed that about 6.42 million customers in total had been affected by the breach, and that it was directly notifying anyone affected. But the attorney general says that wasn't true.
Catalog of Security Shortcomings
Based on what it was allowed to see, the PFI reportedly found numerous cybersecurity shortcomings at the fashion giant.
"Zoetop failed to adhere to PCI DSS requirements related to network monitoring and testing, as the company did not use file integrity monitoring, monitor or analyze log files, retain an audit trail history, or perform quarterly network vulnerability scans," according to the assurance agreement.
In addition, it says, "the PFI found that Zoetop either had not developed, implemented and documented a variety of policies and procedures as required by PCI DSS, or had simply refused to provide the forensic firm with copies of the documented policies and procedures, including a data security policy, an incident response plan, and policies and procedures for protecting stored cardholder data, developing and maintaining secured systems and applications, monitoring access to network resources and cardholder data, and log retention."
The attorney general reports that Zoetop regained PSS DCI certification in April 2019, and Shein Distribution Corp. has continued to maintain it without interruption.
Stolen Data Appears for Sale
The breach of Romwe data didn't come to light until June 2020, when plaintext credentials for Romwe.com users were found for sale on a cybercrime forum. Zoetop hired a cybersecurity firm to investigate, and it determined that the credentials had likely been stolen in the 2018 attack, according to the assurance agreement.
In September 2020, having reevaluated the apparent severity of the 2018 attack, Zoetop forced password resets on all affected Shein accounts, although it didn't notify customers about what had happened, according to the New York attorney general. Instead, customers saw the following message: "Your password has not been updated in more than 365 days. For your protection, please update it now."
More Romwe data continued to appear on cybercrime markets, leading Zoetop in December 2020 to force password resets for the 7.3 million affected Romwe account holders.
But as with Shein, it neglected to alert them that their credentials might have been affected by the breach.
On Dec. 30, 2020, Zoetop finally notified Romwe customers about the suspected exposure and offered U.S. residents prepaid identity theft monitoring. With this week's assurance agreement, that offer will now be made to all 39 million affected customers.