Attorney General James Secures $1.9 Million from E-Commerce … – New York State Attorney General

0
98

Our Office
Bio of the Attorney General
Year in Review
Divisions and Bureaus
Regional Offices
Media
Press Releases
Event Archive
Livestream
Resources
Charities Registry
Complaint Forms
Consumer Resources
Data Security Breach Information
Effective REF Policy Memoranda
Employment Opportunities
FAQs
Find an Attorney
Forms
Help for Homeowners
Identity Theft
Lemon Law Protections
Make a FOIL Request
Offering Plan Data Search
Opinions
Presentation Request Form
Publications
Registrations
Student Lending
Tenants’ Rights
Triple C Awards
Victims’ Rights
Understanding Recent Changes to New York’s Gun Laws
Initiatives
Animal Protection Initiative
Conviction Review Bureau
CUFFS
Debt Settlement & Collection
Free Educational Programs
Human Trafficking Initiative
Immigration Services Fraud Initiative
Land Bank Community Revitalization
NY Open Government
Pennies for Charity
Protect Our Homes
Smart Seniors
Office of Special Investigation
Source of Income Discrimination
Taxpayer Protection Initiative
Contact Us
Search
You are here
Zoetop Failed to Notify All 39 Million SHEIN Shoppers of a
Data Breach and Downplayed the Scope of the Breach to Consumers

More than 800,000 New Yorkers Were Impacted by SHEIN and ROMWE Data Breach
NEW YORK – New York Attorney General Letitia James today secured $1.9 million from e-commerce retailer, Zoetop Business Company, Ltd. (Zoetop), for failing to properly handle a data breach that compromised the personal information of tens of millions of consumers worldwide and for lying about the scope of the breach to consumers. Zoetop, which owns and operates the popular e-commerce brands SHEIN and ROMWE, had a data breach in which 39 million SHEIN accounts and 7 million ROMWE accounts were stolen, including accounts for more than 800,000 New York residents. SHEIN and ROMWE are popular shopping sites frequently used by millennials and Gen Zers. An investigation by the Office of the Attorney General (OAG) revealed that the company failed to properly safeguard consumers’ information prior to the data breach, failed to take adequate steps to protect many of the impacted accounts after the breach, and downplayed the extent of the cyberattack to consumers. As a result of today’s agreement, Zoetop must pay $1.9 million in penalties to the state and strengthen its cybersecurity measures to protect consumers’ information.
“SHEIN and ROMWE’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” said Attorney General James. “While New Yorkers were shopping for the latest trends on SHEIN and ROMWE, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. SHEIN and ROMWE must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”
In June 2018, Zoetop was targeted in a cyberattack. Attackers stole credit card information and personal information, including names, email addresses, and hashed account passwords of certain Zoetop customers, including SHEIN shoppers. Zoetop did not detect the intrusion and was later notified by its payment processor that its systems appeared to have been compromised. The payment processor reported that it had been contacted by a large credit card network and a credit card issuing bank, each of which had information “indicating that [Zoetop’s] system[s] have been infiltrated and card data stolen.” 
Following the cyberattack, Zoetop engaged a cybersecurity firm to conduct a forensic investigation. The cybersecurity firm confirmed that attackers had gained access to Zoetop’s internal network and had altered code responsible for processing customer transactions in an attempt to intercept and exfiltrate customer’s credit card information. The cybersecurity firm also found that the attackers had exfiltrated the personal information of SHEIN customers, including names, email addresses, and hashed account passwords. Worldwide, 39 million SHEIN account credentials were stolen, including the credentials of more than 375,000 New York residents.
The OAG investigation found that Zoetop contacted only a fraction of the 39 million SHEIN accounts whose login credentials had been compromised and did not reset passwords or otherwise protect any of the exposed accounts. For the vast majority of SHEIN accounts impacted in the breach — more than 32.5 million accounts worldwide and 255,294 New York residents — Zoetop failed to even alert those customers that their login credentials had been stolen.  
In addition, Zoetop’s public statements about the data breach included several misrepresentations about the breach’s size and scope. For example, Zoetop falsely stated that only 6.42 million consumers had been impacted in the breach and that the company was in the process of notifying all of the impacted customers. Zoetop also represented, falsely, that it “ha[d] seen no evidence that [customer] credit card information was taken from our systems.”    
Two years later, Zoetop discovered customer login credentials for ROMWE customer accounts available on the dark web. Based on the results of a forensic investigation, Zoetop concluded that the ROMWE login credentials had likely been exfiltrated in 2018 in the same attack that had impacted SHEIN accounts. Zoetop reset the passwords of affected accounts and notified affected ROMWE consumers. In all, the login credentials of over 7 million ROMWE accounts were stolen, of which nearly 500,000 belonged to New York residents.
The OAG found that, at the time of the 2018 data breach, Zoetop failed to maintain reasonable security measures to protect customers’ data in several areas:
As a result of today’s agreement, Zoetop is required to pay New York $1,900,000 in penalties and costs. In addition, Zoetop must maintain a comprehensive information security program that includes robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice, and prompt password resets. 
This matter was handled by Assistant Attorney General Hanna Baek and Senior Enforcement Counsel Jordan Adler of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim A. Berger and Deputy Bureau Chief Clark P. Russell. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is overseen by Chief Deputy Attorney General Chris D’Angelo and First Deputy Attorney General Jennifer Levy.

Translation Disclaimer
© NEW YORK STATE ATTORNEY GENERAL. All rights reserved.
Select a Language Below / Seleccione el Idioma Abajo
Disclaimer
This Google™ translation feature is provided for informational purposes only.
The Office of Attorney General’s website is provided in English. However, the “Google Translate” option may assist you in reading it in other languages.
Google Translate cannot translate all types of documents, and it may not give you an exact translation all the time. Anyone relying on information obtained from Google Translate does so at his or her own risk.
The Office of Attorney General does not make any promises, assurances, or guarantees as to the accuracy of the translations provided. The State of New York, its officers, employees, and/or agents shall not be liable for damages or losses of any kind arising out of, or in connection with, the use or performance of such information, including but not limited to, damages or losses caused by reliance upon the accuracy of any such information, or damages incurred from the viewing, distributing, or copying of such materials.
A copy of this disclaimer can also be found on our Disclaimer page.
Close this box or use the [ X ]

source