Fast-Fashion Designer Zoetop ordered to pay $1.9 million for data breach

October 12, 2022 Rob Abruzzese

Attorney General Letitia James announced that fast-fashion designer Zoetop is being fined $1.9 million for a 2018 data breach that it was unprepared for, slow to respond to, and lied about publicly. AP Photo/Brittainy Newman

Share this:

A fast-fashion retailer known as Zoetop, which owns popular brands Shein and Romwe, is being forced to pay $1.9 million for failing to properly handle a data breach that left nearly 39 million accounts vulnerable.

In the data breach, which occured in June 2018, 39 million Shein accounts and 7 million Romwe accounts were stolen, which included more than 800,000 New Yorkers, according to the Attorney General’s Office.

The Attorney General said that the company failed to notify the majority of the affected users, it had failed to properly safeguard consumers’ information prior to the breach and failed to take adequate steps following it.

“Shein and Romwe’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” said Attorney General Letitia James. “While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. Shein and Romwe must button up their cybersecurity measures to protect consumers from fraud and identity theft.”

In the data breach, attackers stole credit card information, personal information and email addresses of certain Zoetop customers, but it did not detect the intrusion until it was notified by its payment processor, which had been contacted by a credit card issuing bank, according to the Attorney General’s Office.

Zoetop hired a cyber security firm to conduct an investigation, according to the Attorney General’s Office, and that company confirmed that hackers changed Zoetops internal network so that they could intercept credit cards during transactions. The firm also found out about the approximately 39 million compromised accounts.

Once Zoetop had that information, it failed to contact all the 39 million accounts, and it did not reset passwords, or otherwise protect those exposed accounts, according to the Attorney General’s Office. Public statements made by the company at that time downplayed the size of the breach and falsely claimed that credit card information was not stolen. Two years later those accounts were available to download on the dark web.

In addition to the $1.9 million fine, Zoetop must maintain a comprehensive information security program that includes robust hashing of customer passwords and network monitoring.