New York AG's SHEIN Haul: $1.9 Million for data security failures
Videos showing off huge orders of cheap clothing from SHEIN, dubbed “SHEIN hauls,” helped propel the online retailer to viral fame in recent years. But this week, New York state announced its own haul — $1.9 million from SHEIN and parent company Zoetop for alleged data security and consumer protection failures related to a 2018 breach.
“While New Yorkers were shopping for the latest trends on SHEIN and ROMWE, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy,” New York Attorney General Letitia James said in a press release.
“Data beaches are the unfortunate debris of an internet economy that shortchanges security,” Georgetown Law professor and former director of the FTC’s Bureau of Consumer Protection David Vladeck told The Record.
However, actions like those taken by the state attorney general’s office in response to the Zoetop breach could encourage companies to step up their security, he said.
Zoetop was attacked in 2018, resulting in the theft of customer credit card and personal information from some 39 million SHEIN customers. At the time of the attack, the company downplayed the scope and severity of the incident.
The attorney general investigation found Zoetop only alerted a fraction of those affected and ”did not reset passwords or otherwise protect any of the exposed accounts.”
When the breach occurred, Zoetop used insufficient security to manage customer passwords, misconfigured systems in ways that left credit card information exposed in plaintext, lacked basic monitoring for security issues, and did not have a plan in place to address cyberattacks, according to the Attorney General.
Customer information from ROMWE, apparently exfiltrated as part of the same attack, was also later found on the Dark Web, the state attorney general said..
In a statement, SHEIN said the company “fully cooperated with the New York Attorney General” regarding the investigation.
“Since the data breach, which occurred in 2018, we have taken significant steps to further strengthen our cybersecurity posture and we remain vigilant,” the company wrote.
Per the agreement announced Wednesday, Zoetop must pay New York $1.9 million in penalties and costs as well as commit to a “comprehensive security program.”
Even as data breaches have grown increasingly commonplace, the U.S. lacks a comprehensive federal privacy and data security law. A bipartisan privacy bill made some headway earlier this legislative session and the Federal Trade Commission (FTC) is exploring the creation of regulation that would cover data and information security. Absent federal regulation, it has fallen on states to protect consumers.
For example, a patchwork of data breach notification laws now apply across different states.
And In August, California’s Attorney General announced its first fine under the California Consumer Privacy Act — a $1.2 million penalty to make-up maker Sephora — and is looking ahead to more.
Andrea Peterson (they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.