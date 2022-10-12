The company that owns popular online shopping websites Shein and Romwe must pay $1.9 million for failing to protect the personal information of millions of customers and trying to downplay a data breach.
Zoetop Business Company, which owns and operates both of the online retailers, agreed to pay the penalties on Wednesday, according to New York Attorney General Letitia James.
“Shein and Romwe’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” James said. “While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. Shein and Romwe must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”
According to the AG’s office, data was stolen from 39 million Shein accounts and 7 million Romwe accounts, 800,000 of which were New York residents.
James says the company failed to protect the sensitive data prior to the breach and did not take adequate steps to safeguard the impacted accounts after the breach while downplaying the extent of the cyberattack to customers.
The hack happened in June of 2018 and millions of names, email addresses and account passwords were stolen. James says the company did not realize the attack had happened until it received notification from its payment processor.
After the company confirmed the attack, James says only a fraction of the 39 million affected customers were notified that their accounts were compromised.
Zoetop also falsely claimed only 6 million customers were impacted instead of 39 million, according to James.
Two years after the 2018 breach, Romwe customers’ account information was located on the dark web, and Zoetop determined the data came from the 2018 breach. James says more than 7 million customers were affected, and 500,000 of them were New Yorkers.
According to the AG’s office, Zoetop failed to prevent the 2018 breach due to poor password management, a failure to protect sensitive customer information within their system, a lack of monitoring for cyber risks and poor incident response.
As a result of Tuesday’s agreement, Zoetop is required to pay New York $1.9 million in penalties and costs, and take active steps to improve its information security programs.