Security News > 2022 > October > Fashion brand SHEIN fined $1.9m for lying about data breach

Chinese company Zoetop, former owner of the wildly popular SHEIN and ROMWE "Fast fashion" brands, has been fined $1,900,000 by the State of New York.

Frankly, we're surprised that Zoetop got off so lightly, considering the size, wealth and brand power of the company, its apparent lack of even basic precautions that could have prevented or reduced the danger posed by the breach, and its ongoing dishonesty in handling the breach after it became known.

The credit card company came across SHEIN customers' card data for sale on an underground forum, suggesting that the data had been acquired in bulk from the company iself, or one of its IT partners.

As the investigation explained, "Any exfiltration of payment card data would [thus] have happened by intercepting card data at the point of purchase." As you can imagine, given the lack of an incident response plan, the company was not subsequently able to tell how well this data-stealing malware had worked, though the fact that customers' card details appeared on the dark web suggests that the attackers were successful.

Perhaps worst of all, when the company discovered passwords from its ROMWE website for sale on the dark web in June 2020, and ultimately realised that this data was probably stolen back in the 2018 breach that it had already tried to cover up.

Only in December 2020, after a second tranche of passwords-for-sale were found on the dark web, apparently bringing the ROMWE part of the breach to more than 7,000,000 accounts, did the company admit to its customers that they had been mixed up in what it blandly referred to as a "Data security incident."

News URL

https://nakedsecurity.sophos.com/2022/10/17/fashion-brand-shein-fined-1-9m-for-lying-about-data-breach/