SHEIN and Romwe Owner Hit with $1.9 Million in Fines
Table of Contents
- By Steven
- Published: Oct 17, 2022
- Last Updated: Oct 18, 2022
SHEIN and Romwe are clothing retail sites best known for their high affordability and fast shipping. Both claim to be “cyber malls for the next gen(eration).” Both SHEIN and Romwe are owned by the parent company Zoetop. In 2018, Zoetop had a data breach that affected more than 39 million shoppers. SHEIN is headquartered in China, and Romwe is based in California.
How Did the Attack Occur?
In 2018, Zoetop was attacked, which left its cybersecurity in shambles. Zoetop never released the attack method, but we do know that it was a full-scale attack that affected most of SHEIN’s customers. There were tens of millions of customers affected, which did nothing to help the reputation of the multi-billion dollar fashion retailer.
What Information Was Viewed or Stolen?
The stolen information includes the login credentials, names, and credit card information of over 39 million SHEIN shoppers and another 7 million Romwe customers. Zoetop claimed to notify all affected customers immediately following the breach. A statement from the New York Attorney General read, “An investigation by the Office of the Attorney General (OAG) revealed that the company failed to properly safeguard consumers’ information prior to the data breach, failed to take adequate steps to protect many of the impacted accounts after the breach, and downplayed the extent of the cyberattack to consumers.”
How Did Zoetop Admit to the Breach?
Zoetop admitted to the breach in 2018, just after it happened, and that is not where its problems lie. The lawsuit is because Zoetop stated that the breach only affected about 6 million shoppers and that all affected consumers were being sent notifications, which proved false.
What Will Become of the Stolen Information?
From what we can tell, the hacker(s) sold the information on the dark web. Now, over 46 million people, most very young and many minors, have their personal information on the dark web. At the time of writing, it’s been four years since the incident. “Since 2018, we have significantly expanded our cybersecurity team; retained leading cybersecurity experts to help build our security organization and strengthen our global security posture to combat potential risks and vulnerabilities,” SHEIN stated. “(W)e have been certified as compliant with the ISO’s 27001 standard and the payment card industry’s Digital Security Standard for data protection.”
What Should Affected Parties Do in the Aftermath of the Breach?
In the aftermath of the breach, it’s a good idea for customers to invest in device scanning and protecting software. You can use this software to sweep your device for malware or other dangerous software and alert you if your information is on an unauthorized site. Another great idea is to watch your credit score and credit card reports. As with any card, alert your provider if there are any purchases that you did not make or authorize.
