New York Attorney General has entered into a settlement with Zoetop who own SheIn and Romwe. Following a data breach, the online retailers downplayed the cyberattack and were found to have inadequate safeguards in place. The breach investigation showed that more than 39 million accounts were exposed worldwide. The SheIn and Romwe retailer must now pay the State of New York $1.9 million.
Data Breach
Zoetop were notified about the breach by their payment processor. The processor reported it had been contacted by a large credit card network and bank which both had information indicating the retailer’s systems had been infiltrated and credit card information stolen. The bank issued a fraud alert to Zoetop after linking multiple fraud cases on their customers’ accounts back to earlier purchases the customers had made on either SheIn or Romwe sites.
The retailer hired a cybersecurity firm to investigate the breach. The information from that investigation showed that the cyberattack had provided access and likely exfiltrated the information of millions of account holders. The information taken included:
- Names
- City/Province information
- Email addresses
- Hashed account passwords
The stolen log in information was then put on sale on a hacking forum. Worldwide, more than 39 million account credentials were included in the data exposed online. Of that, more than 375,000 New York residents were impacted. These were the basis of the New York Attorney General’s case.
Breach Response
When investigating the cyberattack it was discovered that Zoetop were using a vulnerable hashing algorithm. Hashing passwords is the method used to hide your account password from hackers. However, in this case, the hashing algorithm used by Zoetop was known to be insecure.
Following the investigation results, Zoetop failed to force the 39 million accounts that were impacted to conduct a password reset. Instead, they identified just 6.42 million accounts that has previously placed an order on one of their sites and contacted them recommending the account holder initiate a password reset. This meant more than 32.5 million accounts were not contacted about the breach. The only additional notification was a public press release on their website. This information was also included within their FAQ section. However, it was shown that several of the statements made by Zoetop were misleading.
Outcome
Following the case, the New York Attorney General has fined Zoetop $1.9 million. Additionally, the retailer is required to comply with relevant New York laws in connection with its collection, use, and maintenance of customer personal information. They are also not allowed to misrepresent:
- The manner or extent to which it protects the privacy, security, or confidentiality of personal information
- Any aspect of a security event, including the customer and customer personal information impacted
- The basis for resetting a password associated with a customer account.
Find out more about privacy laws in the USA.
