Shein owner Zoetop fined $1.9m over data breach response

The owner of fast-fashion site Shein has been fined $1.9m (£1.69m) over its handling of a data breach.

Credit-card and login details for 39 million Shein accounts were stolen in 2018 after its parent company, Zoetop, was targeted by hackers.

New York Attorney General Letitia James said Zoetop had lied about the extent of the breach and had notified “only a fraction” of affected customers.

Shein says it has taken “significant steps” to improve its cyber-security.

Names, email addresses, passwords and credit-card information belonging to tens of millions of Shein account holders were stolen by hackers and sold online.

A further seven million account holders of Romwe, another fast-fashion site owned by Zoetop, were caught up in the 2018 breach.

The New York Attorney General’s office said Zoetop had failed to safeguard customer data and to inform millions of account holders their personal information had been exposed.

Among those affected were more than 800,000 customers living in New York.

“While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up,” Ms James said.

Her office said Zoetop had lied about the size of the breach – initially reporting that only 6.42 million Shein accounts had been exposed in the hack.

The bulk of the 39 million affected account holders were not contacted and there was no forced password reset for all those accounts.

At the time, the company also told consumers it had seen “no evidence” of credit-card or payment information being compromised and only email addresses and passwords had been stolen.

“Failing to protect consumers’ personal data and lying about it is not trendy,” Ms James said.

Romwe and Shein have become popular e-commerce destinations for millennial and “Gen Z” shoppers seeking trending fashion items at low prices.

In 2021, the Shein mobile app briefly jumped ahead of Amazon on iOS and Android app charts as the most downloaded shopping app in the US, with items costing $10.70 (£7.90) on average.

But Ms James said the brands had weak cyber-security, making it “easy for hackers to shoplift consumers’ personal data”.

The attorney general said the companies needed to “button up their cybersecurity measures” to protect customers.

A spokesperson for Shein said: “We have fully co-operated with the New York attorney general and are pleased to have resolved this matter.

“Protecting our customers’ data and maintaining their trust is a top priority, especially with ongoing cyber threats posed to businesses around the world.”