Shein owner fined $1.9M for failing to notify 39M users of data breach

A data breach from 2018 is putting Shein under the spotlight as the ultra-fast fashion e-commerce platform continues to conquer Gen-Z markets across the world.

Zoetop, the firm that owns Shein and its sister brand Romwe, has been fined $1.9 million by New York for failing to properly handle a security incident, according to a notice from the state’s Attorney General office this week. New York doesn’t publicly release data breach notifications like Maine, New Hampshire, California, or other states, which is why the AG came so much later than when the cyberattack happened.

Shein, which was founded in China and recently moved its core assets to Singapore, saw explosive growth during the pandemic as the virus prevention pushed consumers to shop online. Its jaw-dropping affordability and vast clothing options have made it one of the fastest-growing consumer internet platforms worldwide in the past two years.

The firm’s meteoric rise puts the once low-key fashion exporter from China on the spot. It went from having no dedicated PR personnel just a few years ago to now scrambling to handle mounting media inquiries about supply chain transparency and alleged design theft as it further grows and gears up for an IPO.

The data breach brings it yet another PR problem. The company claims it’s significantly stepped up its security measures since.

“We have fully cooperated with the New York Attorney General and are pleased to have resolved this matter. Protecting our customers’ data and maintaining their trust is a top priority, especially with ongoing cyber threats posed to businesses around the world. Since the data breach, which occurred in 2018, we have taken significant steps to further strengthen our cybersecurity posture and we remain vigilant,” Shein says in a statement.

What happened?

A cybersecurity attack that originated in 2018 resulted in the theft of 39 million Shein account credentials, including those of more than 375,000 New York residents, according to the AG’s announcement. An investigation by the AG’s office found that Zoetop only contacted “a fraction” of the 39 million compromised accounts, and for the vast majority of the users impacted, the firm failed to even alert them that their login credentials had been stolen.

The AG’s office also concluded that Zoetop’s public statements about the data breach were misleading. In one instance, the firm falsely stated that only 6.42 million consumers had been impacted and that it was in the process of informing all the impacted users.

A lot has changed since 2018. Shein has risen from an up-and-coming online fast fashion seller at the time to an all-encompassing e-commerce platform that is threatening Amazon. In the second quarter of this year, the app’s U.S. downloads surpassed Amazon’s for the first time. The data breach might be dated, but keep in mind that Shein has been operating since 2008, so four years is quite recent in the firm’s history of existence. Cost-saving, trend-seeking Gen-Z consumers might continue to shop on Shein despite its publicity issues, but to win the trust of regulators and the general public, there’s still much to be done.

Shein owner fined $1.9M for failing to notify 39M users of data breach by Rita Liao originally published on TechCrunch