Privacy & Information Security Law Blog

On October 12, 2022, New York Attorney General Letitia James announced that her office had secured a $1.9 million penalty from e-commerce retailer Zoetop, owner of SHEIN and ROMWE, following an improperly handled data breach. The Office of the Attorney General of the State of New York (“NYAG”) alleged in its Assurance of Discontinuance that Zoetop failed to properly handle the breach and lied about its scope to consumers.

In 2018, attackers targeted Zoetop and stole the credit card information, email addresses and hashed account passwords of certain Zoetop customers. Zoetop discovered the breach after the company was notified by its payment processor with information “indicating that [Zoetop’s] system[s] have been infiltrated and card data stolen.” Zoetop engaged a cybersecurity firm, which confirmed that the attackers had exfiltrated the account credentials of 39 million SHEIN accounts, including 375,000 New York residents.

The NYAG’s investigation into Zoetop’s handling of the breach found that Zoetop did not contact all affected account holders, force password resets or otherwise take steps to protect affected individuals. Further, Zoetop made several public misrepresentations about the size and scope of the breach, including falsely stating that only 6.42 million consumers were impacted, that the company was notifying all impacted consumers and that the company had no evidence credit card information was impacted.

In addition, in 2020, Zoetop learned ROMWE login credentials were available on the dark web. Following a forensic investigation, Zoetop concluded the credentials likely had been exfiltrated during the 2018 cyberattack. Over 7 million ROMWE customer accounts had been compromised, of which approximately 500,000 belonged to New York residents. The NYAG’s investigation also found that Zoetop failed to maintain reasonable security measures, such as adequate password management, protecting sensitive customer information, properly monitoring its systems and maintaining an incident response plan. In addition to paying New York $1.9 million in penalties and costs, “Zoetop must maintain a comprehensive information security program that includes robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice, and prompt password resets.”